From 715688c78c7974b3e10ed01a8e0fed23b519e118 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 5 Jan 2017 20:50:08 +0100 Subject: [PATCH 01/91] exploit-kit and TDS added --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index fa11ee36..8036b78b 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,9 @@ to localized information (which is not shared) or additional information (that c # Available clusters +- [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years - [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft +- [clusters/tds.json](clusters/tds.json) - TDS is a list of Traffic Direction System used by adversaries. - [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP - [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. MISP From c3364add3c2dd7fe359f4c921e120432a6d8f062 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 6 Jan 2017 13:25:30 +0100 Subject: [PATCH 02/91] Cadelle and Chafer groups added --- clusters/threat-actor.json | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7560b054..fd58da79 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1219,6 +1219,22 @@ "meta": { "refs": ["https://citizenlab.org/2015/12/packrat-report/"] } + }, + { + "value": "Cadelle", + "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", + "meta": { + "refs": ["https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"], + "country": "IR" + } + }, + { + "value": "Chafer", + "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", + "meta": { + "refs": ["https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"], + "country": "IR" + } } ], "name": "Threat actor", @@ -1233,5 +1249,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 7 + "version": 8 } From ea9ebaf5d6e0b1c838f24d3a938ae91fecb062d8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 6 Jan 2017 13:51:22 +0100 Subject: [PATCH 03/91] PassCV group added --- clusters/threat-actor.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fd58da79..b9bebd36 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1235,6 +1235,13 @@ "refs": ["https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"], "country": "IR" } + }, + { + "value": "PassCV", + "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on. ", + "meta": { + "refs": ["https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"] + } } ], "name": "Threat actor", @@ -1249,5 +1256,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 8 + "version": 9 } From a6cb478a3bd69963a757aa4add6eb6f90440b6ea Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 6 Jan 2017 22:26:53 +0100 Subject: [PATCH 04/91] Separate APT30 from Naikon group --- clusters/threat-actor.json | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b9bebd36..285d0409 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -289,7 +289,6 @@ "meta": { "synonyms": [ "PLA Unit 78020", - "APT 30", "Override Panda", "Camerashy", "APT.Naikon" @@ -1089,10 +1088,13 @@ { "meta": { "refs": [ - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://attack.mitre.org/wiki/Group/G0013" + ], + "synonyms": ["APT 30"], + "country": "CN" }, - "value": "APT30" + "value": "APT30", + "description": "APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches." }, { "meta": { @@ -1256,5 +1258,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 9 + "version": 10 } From fd030a431408db51f21067623cc716e442d302cf Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 6 Jan 2017 22:35:50 +0100 Subject: [PATCH 05/91] GeminiDuke added --- clusters/tool.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 429d3bb7..5699d71a 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -10,7 +10,7 @@ ], "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 8, + "version": 9, "values": [ { "description": "Malware", @@ -1113,6 +1113,13 @@ ] }, "value": "Chthonic" + }, + { + "value": "GeminiDuke", + "description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.", + "meta": { + "refs": ["https://attack.mitre.org/wiki/Software/S0049"] + } } ] } From 5e5a6119f5f987647920aaea388b55a27a021e7f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 7 Jan 2017 14:48:45 +0100 Subject: [PATCH 06/91] Shiz Trojan + Shifu --- clusters/tool.json | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 5699d71a..eb26e3d7 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -10,7 +10,7 @@ ], "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 9, + "version": 10, "values": [ { "description": "Malware", @@ -1120,6 +1120,21 @@ "meta": { "refs": ["https://attack.mitre.org/wiki/Software/S0049"] } + }, + { + "value": "Shifu", + "description": "Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.", + "meta": { + "refs": ["http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/"], + "derivated-from": ["Shiz"] + } + }, + { + "value": "Shiz", + "description": "The new variant of the Shiz Trojan malware targets mission-critical enterprise resource planning (ERP) applications — particularly SAP users. ", + "meta": { + "refs": ["https://securityintelligence.com/tag/shiz-trojan-malware/"] + } } ] } From bb47f52d246489e704054e3c381cf40222d57635 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 8 Jan 2017 11:23:01 +0100 Subject: [PATCH 07/91] MM Core added --- clusters/tool.json | 750 +++++++++++++++++++++++---------------------- 1 file changed, 387 insertions(+), 363 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index eb26e3d7..04a8e659 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1,112 +1,100 @@ { - "name": "Tool", - "type": "tool", - "source": "MISP Project", - "author": [ - "Alexandre Dulaunoy", - "Florian Roth", - "Timo Steffens", - "Christophe Vandeplas" - ], - "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", - "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 10, "values": [ { - "description": "Malware", - "value": "PlugX" + "value": "PlugX", + "description": "Malware" }, { "value": "MSUpdater" }, { - "description": "A password recovery tool regularly used by attackers", - "value": "Lazagne" + "value": "Lazagne", + "description": "A password recovery tool regularly used by attackers" }, { + "value": "Poison Ivy", + "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", "meta": { "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf" ] - }, - "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", - "value": "Poison Ivy" + } }, { + "value": "SPIVY", + "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" ] - }, - "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", - "value": "SPIVY" + } }, { "value": "Torn RAT" }, { + "value": "OzoneRAT", "meta": { + "refs": [ + "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" + ], "synonyms": [ "Ozone RAT", "ozonercp" - ], - "refs": [ - "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" ] - }, - "value": "OzoneRAT" + } }, { "value": "ZeGhost" }, { + "value": "Backdoor.Dripion", + "description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.", "meta": { - "synonyms": [ - "Dripion" - ], "refs": [ "http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan" - ] - }, - "description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.", - "value": "Backdoor.Dripion" - }, - { - "synonyms": [ - "Elise" - ], - "value": "Elise Backdoor" - }, - { - "description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.", - "meta": { - "refs": [ - "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" ], "synonyms": [ - "Laziok" + "Dripion" ] - }, - "value": "Trojan.Laziok" + } }, { + "value": "Elise Backdoor", + "synonyms": [ + "Elise" + ] + }, + { + "value": "Trojan.Laziok", + "meta": { + "synonyms": [ + "Laziok" + ], + "refs": [ + "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" + ] + }, + "description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer." + }, + { + "value": "Slempo", + "description": "Android-based malware", "meta": { "synonyms": [ "GM-Bot", "Acecard" ] - }, - "description": "Android-based malware", - "value": "Slempo" + } }, { + "value": "PWOBot", + "description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" ] - }, - "description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", - "value": "PWOBot" + } }, { "value": "Lstudio" @@ -115,46 +103,46 @@ "value": "Joy RAT" }, { + "value": "Lost Door RAT", + "descriptions": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.", "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" - ], "synonyms": [ "LostDoor RAT" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" ] - }, - "descriptions": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.", - "value": "Lost Door RAT" + } }, { + "value": "njRAT", "meta": { - "refs": [ - "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" - ], "synonyms": [ "Bladabindi" + ], + "refs": [ + "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" ] - }, - "value": "njRAT" + } }, { + "value": "NanoCoreRAT", "meta": { - "refs": [ - "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter" - ], "synonyms": [ "NanoCore" + ], + "refs": [ + "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter" ] - }, - "value": "NanoCoreRAT" + } }, { + "value": "Sakula", "meta": { "synonyms": [ "Sakurel" ] - }, - "value": "Sakula" + } }, { "value": "Derusbi" @@ -184,12 +172,12 @@ "value": "WEBC2" }, { + "value": "Pirpi", "meta": { "refs": [ "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ] - }, - "value": "Pirpi" + } }, { "value": "RARSTONE" @@ -204,16 +192,16 @@ "value": "NETEAGLE" }, { + "value": "Agent.BTZ", "meta": { "synonyms": [ "ComRat" ] - }, - "value": "Agent.BTZ" + } }, { - "description": "RAT bundle with standard VNC (to avoid/limit A/V detection).", - "value": "Heseber BOT" + "value": "Heseber BOT", + "description": "RAT bundle with standard VNC (to avoid/limit A/V detection)." }, { "value": "Agent.dne" @@ -231,85 +219,85 @@ "value": "Winexe" }, { - "description": "RAT initialy identified in 2011 and still actively used.", - "value": "Dark Comet" + "value": "Dark Comet", + "description": "RAT initialy identified in 2011 and still actively used." }, { - "description": "RAT for Apple OS X platforms", - "value": "AlienSpy" + "value": "AlienSpy", + "description": "RAT for Apple OS X platforms" }, { + "value": "Cadelspy", "meta": { "synonyms": [ "WinSpy" ] - }, - "value": "Cadelspy" + } }, { + "value": "CMStar", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ] - }, - "value": "CMStar" + } }, { + "value": "DHS2015", "meta": { - "refs": [ - "https://securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf" - ], "synonyms": [ "iRAT" + ], + "refs": [ + "https://securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf" ] - }, - "value": "DHS2015" + } }, { + "value": "Gh0st Rat", + "description": "Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago.", "meta": { - "refs": [ - "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf" - ], "synonyms": [ "Gh0stRat, GhostRat" + ], + "refs": [ + "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf" ] - }, - "description": "Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago.", - "value": "Gh0st Rat" + } }, { + "value": "Fakem RAT", + "description": "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages). ", "meta": { - "refs": [ - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf" - ], "synonyms": [ "FAKEM" + ], + "refs": [ + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf" ] - }, - "description": "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages). ", - "value": "Fakem RAT" + } }, { + "value": "MFC Huner", "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/" - ], "synonyms": [ "Hupigon", "BKDR_HUPIGON" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/" ] - }, - "value": "MFC Huner" + } }, { + "value": "Blackshades", + "description": "Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014.", "meta": { "refs": [ "https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-and-fbi-assistant-director-charge-announce-charges-connection", "https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/" ] - }, - "description": "Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014.", - "value": "Blackshades" + } }, { "value": "CORESHELL" @@ -324,21 +312,21 @@ "value": "OLDBAIT" }, { + "value": "Havex RAT", "meta": { "synonyms": [ "Havex" ] - }, - "value": "Havex RAT" + } }, { + "value": "KjW0rm", + "description": "RAT initially written in VB.", "meta": { "refs": [ "https://www.sentinelone.com/blog/understanding-kjw0rm-malware-we-dive-in-to-the-tv5-cyber-attack/" ] - }, - "description": "RAT initially written in VB.", - "value": "KjW0rm" + } }, { "value": "TinyTyphon" @@ -425,85 +413,85 @@ "value": "Tdrop2" }, { + "value": "ZXShell", "meta": { - "refs": [ - "http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html" - ], "synonyms": [ "Sensode" + ], + "refs": [ + "http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html" ] - }, - "value": "ZXShell" + } }, { + "value": "T9000", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/" ] - }, - "value": "T9000" + } }, { + "value": "T5000", "meta": { - "refs": [ - "http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml" - ], "synonyms": [ "Plat1" + ], + "refs": [ + "http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml" ] - }, - "value": "T5000" + } }, { + "value": "Taidoor", "meta": { "refs": [ "http://www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks" ] - }, - "value": "Taidoor" + } }, { + "value": "Swisyn", "meta": { "refs": [ "http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/" ] - }, - "value": "Swisyn" + } }, { + "value": "Rekaf", "meta": { "refs": [ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" ] - }, - "value": "Rekaf" + } }, { "value": "Scieron" }, { + "value": "SkeletonKey", "meta": { "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/" ] - }, - "value": "SkeletonKey" + } }, { + "value": "Skyipot", "meta": { "refs": [ "http://labs.alienvault.com/labs/index.php/2011/another-sykipot-sample-likely-targeting-us-federal-agencies/" ] - }, - "value": "Skyipot" + } }, { + "value": "Spindest", "meta": { "refs": [ "http://www.threatconnect.com/news/threatconnect-enables-healthy-networking-biomed-life-sciences-industry/" ] - }, - "value": "Spindest" + } }, { "value": "Preshin" @@ -512,111 +500,111 @@ "value": "Oficla" }, { + "value": "PCClient RAT", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/" ] - }, - "value": "PCClient RAT" + } }, { "value": "Plexor" }, { + "value": "Mongall", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ] - }, - "value": "Mongall" + } }, { + "value": "NeD Worm", "meta": { "refs": [ "http://www.clearskysec.com/dustysky/" ] - }, - "value": "NeD Worm" + } }, { + "value": "NewCT", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ] - }, - "value": "NewCT" + } }, { + "value": "Nflog", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ] - }, - "value": "Nflog" + } }, { + "value": "Janicab", "meta": { "refs": [ "http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/" ] - }, - "value": "Janicab" + } }, { + "value": "Jripbot", "meta": { - "refs": [ - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - ], "synonyms": [ "Jiripbot" + ], + "refs": [ + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" ] - }, - "value": "Jripbot" + } }, { + "value": "Jolob", "meta": { "refs": [ "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" ] - }, - "value": "Jolob" + } }, { + "value": "IsSpace", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ] - }, - "value": "IsSpace" + } }, { + "value": "Hoardy", "meta": { "synonyms": [ "Hoarde", "Phindolp", "BS2005" ] - }, - "value": "Hoardy" + } }, { + "value": "Htran", "meta": { "refs": [ "http://www.secureworks.com/research/threats/htran/" ] - }, - "value": "Htran" + } }, { + "value": "HTTPBrowser", "meta": { - "refs": [ - "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" - ], "synonyms": [ "TokenControl" + ], + "refs": [ + "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" ] - }, - "value": "HTTPBrowser" + } }, { "value": "Disgufa" @@ -625,265 +613,270 @@ "value": "Elirks" }, { + "value": "Snifula", "meta": { - "refs": [ - "https://www.circl.lu/pub/tr-13/" - ], "synonyms": [ "Ursnif" + ], + "refs": [ + "https://www.circl.lu/pub/tr-13/" ] - }, - "value": "Snifula" + } }, { + "value": "Aumlib", "meta": { - "refs": [ - "http://www.cybersquared.com/killing-with-a-borrowed-knife-chaining-core-cloud-service-profile-infrastructure-for-cyber-attacks" - ], "synonyms": [ "Yayih", "mswab", "Graftor" + ], + "refs": [ + "http://www.cybersquared.com/killing-with-a-borrowed-knife-chaining-core-cloud-service-profile-infrastructure-for-cyber-attacks" ] - }, - "value": "Aumlib" + } }, { + "value": "CTRat", "meta": { "refs": [ "http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html" ] - }, - "value": "CTRat" + } }, { + "value": "Emdivi", "meta": { - "refs": [ - "http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan" - ], "synonyms": [ "Newsripper" + ], + "refs": [ + "http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan" ] - }, - "value": "Emdivi" + } }, { + "value": "Etumbot", "meta": { - "refs": [ - "www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf" - ], "synonyms": [ "Exploz", "Specfix", "RIPTIDE" + ], + "refs": [ + "www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf" ] - }, - "value": "Etumbot" + } }, { + "value": "Fexel", "meta": { "synonyms": [ "Loneagent" ] - }, - "value": "Fexel" + } }, { + "value": "Fysbis", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" ] - }, - "value": "Fysbis" + } }, { + "value": "Hikit", "meta": { "refs": [ "https://blog.bit9.com/2013/02/25/bit9-security-incident-update/" ] - }, - "value": "Hikit" + } }, { + "value": "Hancitor", "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" + ], "synonyms": [ "Tordal", "Chanitor" - ], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" ] - }, - "value": "Hancitor" + } }, { + "value": "Ruckguv", "meta": { "refs": [ "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" ] - }, - "value": "Ruckguv" + } }, { + "value": "HerHer Trojan", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" ] - }, - "value": "HerHer Trojan" + } }, { + "value": "Helminth backdoor", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" ] - }, - "value": "Helminth backdoor" + } }, { + "value": "HDRoot", "meta": { "refs": [ "http://williamshowalter.com/a-universal-windows-bootkit/" ] - }, - "value": "HDRoot" + } }, { + "value": "IRONGATE", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html" ] - }, - "value": "IRONGATE" + } }, { + "value": "ShimRAT", "meta": { "refs": [ "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" ] - }, - "value": "ShimRAT" + } }, { + "value": "X-Agent", "meta": { - "synonyms": [ - "XAgent" - ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/" + ], + "synonyms": [ + "XAgent" ] - }, - "value": "X-Agent" + } }, { + "value": "X-Tunnel", "meta": { "synonyms": [ "XTunnel" ] - }, - "value": "X-Tunnel" + } }, { + "value": "Foozer", "meta": { "refs": [ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ] - }, - "value": "Foozer" + } }, { + "value": "WinIDS", "meta": { "refs": [ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ] - }, - "value": "WinIDS" + } }, { + "value": "DownRange", "meta": { "refs": [ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ] - }, - "value": "DownRange" + } }, { + "value": "Mad Max", "meta": { "refs": [ "https://www.arbornetworks.com/blog/asert/mad-max-dga/" ] - }, - "value": "Mad Max" + } }, { + "value": "Crimson", + "description": "Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims", "meta": { "refs": [ "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ] - }, - "description": "Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims", - "value": "Crimson" + } }, { + "value": "Prikormka", + "description": "Operation Groundbait based on our research into the Prikormka malware family. This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.", "meta": { "refs": [ "http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" ] - }, - "description": "Operation Groundbait based on our research into the Prikormka malware family. This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.", - "value": "Prikormka" + } }, { + "value": "NanHaiShu", + "description": "This whitepaper details a malicious program we identify as NanHaiShu. Based on our analysis, the threat actor behind this malware targets government and private-sector organizations.", "meta": { "refs": [ "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf" ] - }, - "description": "This whitepaper details a malicious program we identify as NanHaiShu. Based on our analysis, the threat actor behind this malware targets government and private-sector organizations.", - "value": "NanHaiShu" + } }, { + "value": "Umbreon", + "description": "Umbreon (sharing the same name as the Pokémon) targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well.", "meta": { "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/" ] - }, - "description": "Umbreon (sharing the same name as the Pokémon) targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well.", - "value": "Umbreon" + } }, { + "value": "Odinaff", + "description": "Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.", "refs": [ "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" - ], - "description": "Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.", - "value": "Odinaff" + ] }, { + "value": "Hworm", + "description": "Unit 42 has observed a new version of Hworm (or Houdini) being used within multiple attacks. This blog outlines technical details of this new Hworm version and documents an attack campaign making use of the backdoor. Of the samples used in this attack, the first we observed were June 2016, while as-of publication we were still seeing attacks as recently as mid-October, suggesting that this is likely an active, ongoing campaign.", "meta": { - "synonyms": [ - "Houdini" - ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/" + ], + "synonyms": [ + "Houdini" ] - }, - "description": "Unit 42 has observed a new version of Hworm (or Houdini) being used within multiple attacks. This blog outlines technical details of this new Hworm version and documents an attack campaign making use of the backdoor. Of the samples used in this attack, the first we observed were June 2016, while as-of publication we were still seeing attacks as recently as mid-October, suggesting that this is likely an active, ongoing campaign.", - "value": "Hworm" + } }, { + "value": "Backdoor.Dripion", + "description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.", "meta": { - "synonyms": [ - "Dripion" - ], "refs": [ "http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan" + ], + "synonyms": [ + "Dripion" ] - }, - "description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.", - "value": "Backdoor.Dripion" + } }, { + "value": "Adwind", + "description": "Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. A significant amount of additional functionality can be provided through downloadable plugins, including such things as remote control options and shell command execution.", "meta": { + "refs": [ + "https://securelist.com/blog/research/73660/adwind-faq/" + ], "synonyms": [ "AlienSpy", "Frutas", @@ -892,23 +885,18 @@ "JSocket", "jRat", "Backdoor:Java/Adwind" - ], - "refs": [ - "https://securelist.com/blog/research/73660/adwind-faq/" ] - }, - "description": "Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. A significant amount of additional functionality can be provided through downloadable plugins, including such things as remote control options and shell command execution.", - "value": "Adwind" + } }, { + "value": "Angler EK", + "description": "Angler Exploit Kit is a hacking tool that is produced to search for Java and Flash Player vulnerabilities on the attacked PC and use them with the aim to distribute malware infections. Angler Exploit Kit commonly checks to see if the PC it is proliferating to has Java or Flash.", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit-fundamentals/", "https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/" ] - }, - "description": "Angler Exploit Kit is a hacking tool that is produced to search for Java and Flash Player vulnerabilities on the attacked PC and use them with the aim to distribute malware infections. Angler Exploit Kit commonly checks to see if the PC it is proliferating to has Java or Flash.", - "value": "Angler EK" + } }, { "value": "Bedep" @@ -917,23 +905,23 @@ "value": "Cromptui" }, { - "description": "CryptoWall is a new and highly destructive variant of ransomware. Ransomware is malicious software (malware) that infects your computer and holds hostage something of value to you in exchange for money. Older ransomware used to block access to computers. Newer ransomware, such as CryptoWall, takes your data hostage.", - "value": "Cryptowall" + "value": "Cryptowall", + "description": "CryptoWall is a new and highly destructive variant of ransomware. Ransomware is malicious software (malware) that infects your computer and holds hostage something of value to you in exchange for money. Older ransomware used to block access to computers. Newer ransomware, such as CryptoWall, takes your data hostage." }, { "value": "CTB-Locker" }, { + "value": "Dridex", + "description": "Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.", "meta": { - "synonyms": [ - "Cridex" - ], "refs": [ "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf" + ], + "synonyms": [ + "Cridex" ] - }, - "description": "Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.", - "value": "Dridex" + } }, { "value": "Fareit" @@ -942,52 +930,52 @@ "value": "Gafgyt" }, { + "value": "Gamarue", "meta": { - "synonyms": [ - "Andromeda" - ], "refs": [ "https://blog.gdatasoftware.com/2015/03/24274-the-andromeda-gamarue-botnet-is-on-the-rise-again" + ], + "synonyms": [ + "Andromeda" ] - }, - "value": "Gamarue" + } }, { - "description": "Ransomware", - "value": "Locky" + "value": "Locky", + "description": "Ransomware" }, { + "value": "Necurs", + "description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.", "meta": { "refs": [ "https://en.wikipedia.org/wiki/Necurs_botnet" ] - }, - "description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.", - "value": "Necurs" + } }, { + "value": "Nuclear Pack", "meta": { "synonyms": [ "Nuclear EK" ] - }, - "value": "Nuclear Pack" + } }, { "value": "Palevo" }, { + "value": "Akbot", "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Akbot" + ], "synonyms": [ "Qbot", "Qakbot", "PinkSlipBot" - ], - "refs": [ - "https://en.wikipedia.org/wiki/Akbot" ] - }, - "value": "Akbot" + } }, { "value": "Rig EK" @@ -996,97 +984,97 @@ "value": "Teslacrypt" }, { - "description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. ", - "value": "Upatre" + "value": "Upatre", + "description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. " }, { + "value": "Vawtrak", + "description": "Vawtrak is an information stealing malware family that is primarily used to gain unauthorised access to bank accounts through online banking websites.", "meta": { "refs": [ "https://www.sophos.com/medialibrary/PDFs/technical%20papers/sophos-vawtrak-international-crimeware-as-a-service-tpna.pdf" ] - }, - "description": "Vawtrak is an information stealing malware family that is primarily used to gain unauthorised access to bank accounts through online banking websites.", - "value": "Vawtrak" + } }, { + "value": "Empire", + "description": "Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework", "meta": { "refs": [ "https://github.com/adaptivethreat/Empire" ] - }, - "description": "Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework", - "value": "Empire" + } }, { + "value": "Explosive", + "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. ", "meta": { "refs": [ "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" ] - }, - "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. ", - "value": "Explosive" + } }, { + "value": "KeyBoy", + "description": "The actors used a new version of “KeyBoy,” a custom backdoor first disclosed by researchers at Rapid7 in June 2013. Their work outlined the capabilities of the backdoor, and exposed the protocols and algorithms used to hide the network communication and configuration data", "meta": { "refs": [ "https://citizenlab.org/2016/11/parliament-keyboy/", "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india" ] - }, - "description": "The actors used a new version of “KeyBoy,” a custom backdoor first disclosed by researchers at Rapid7 in June 2013. Their work outlined the capabilities of the backdoor, and exposed the protocols and algorithms used to hide the network communication and configuration data", - "value": "KeyBoy" + } }, { + "value": "Yahoyah", + "description": "The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware...", "meta": { - "synonyms": [ - "W32/Seeav" - ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ] - }, - "description": "The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware...", - "value": "Yahoyah" - }, - { - "description": "Delphi RAT used by Sofacy.", - "value": "Tartine" - }, - { - "meta": { - "synonyms": [ - "Linux/Mirai" ], + "synonyms": [ + "W32/Seeav" + ] + } + }, + { + "value": "Tartine", + "description": "Delphi RAT used by Sofacy." + }, + { + "value": "Mirai", + "description": "Mirai (Japanese for \"the future\") is malware that turns computer systems running Linux into remotely controlled \"bots\", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers. The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH and the October 2016 Dyn cyberattack.", + "meta": { "refs": [ "https://en.wikipedia.org/wiki/Mirai_(malware)" + ], + "synonyms": [ + "Linux/Mirai" ] - }, - "description": "Mirai (Japanese for \"the future\") is malware that turns computer systems running Linux into remotely controlled \"bots\", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers. The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH and the October 2016 Dyn cyberattack.", - "value": "Mirai" + } }, { "value": "BASHLITE" }, { + "value": "BlackEnergy", + "description": "BlackEnergy is a trojan which has undergone significant functional changes since it was first publicly analysed by Arbor Networks in 2007. It has evolved from a relatively simple DDoS trojan into a relatively sophisticated piece of modern malware with a modular architecture, making it a suitable tool for sending spam and for online bank fraud, as well as for targeted attacks. BlackEnergy version 2, which featured rootkit techniques, was documented by SecureWorks in 2010. The targeted attacks recently discovered are proof that the trojan is still alive and kicking in 2014. We provide a technical analysis of the BlackEnergy family, focusing on novel functionality and the differences introduced by new lite variants. We describe the most notable aspects of the malware, including its techniques for bypassing UAC, defeating the signed driver requirement in Windows and a selection of BlackEnergy2 plug-ins used for parasitic file infections, network discovery and remote code execution and data collection.", "meta": { "refs": [ "https://www.virusbulletin.com/conference/vb2014/abstracts/back-blackenergy-2014-targeted-attacks-ukraine-and-poland/" ] - }, - "description": "BlackEnergy is a trojan which has undergone significant functional changes since it was first publicly analysed by Arbor Networks in 2007. It has evolved from a relatively simple DDoS trojan into a relatively sophisticated piece of modern malware with a modular architecture, making it a suitable tool for sending spam and for online bank fraud, as well as for targeted attacks. BlackEnergy version 2, which featured rootkit techniques, was documented by SecureWorks in 2010. The targeted attacks recently discovered are proof that the trojan is still alive and kicking in 2014. We provide a technical analysis of the BlackEnergy family, focusing on novel functionality and the differences introduced by new lite variants. We describe the most notable aspects of the malware, including its techniques for bypassing UAC, defeating the signed driver requirement in Windows and a selection of BlackEnergy2 plug-ins used for parasitic file infections, network discovery and remote code execution and data collection.", - "value": "BlackEnergy" + } }, { + "value": "Trojan.Seaduke", "meta": { - "synonyms": [ - "Seaduke" - ], + "description": "Trojan.Seaduke is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.", "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-031915-4935-99" ], - "description": "Trojan.Seaduke is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files." - }, - "value": "Trojan.Seaduke" + "synonyms": [ + "Seaduke" + ] + } }, { "value": "Backdoor.Tinybaron" @@ -1095,46 +1083,82 @@ "value": "Incognito RAT" }, { + "value": "DownRage", + "synonyms": [ + "Carberplike" + ], "meta": { "refs": [ "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", "https://twitter.com/Timo_Steffens/status/814781584536719360" ] - }, - "synonyms": [ - "Carberplike" - ], - "value": "DownRage" + } }, { + "value": "Chthonic", "meta": { "refs": [ "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan" ] - }, - "value": "Chthonic" - }, - { - "value": "GeminiDuke", - "description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.", - "meta": { - "refs": ["https://attack.mitre.org/wiki/Software/S0049"] - } - }, - { - "value": "Shifu", - "description": "Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.", - "meta": { - "refs": ["http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/"], - "derivated-from": ["Shiz"] - } - }, - { - "value": "Shiz", - "description": "The new variant of the Shiz Trojan malware targets mission-critical enterprise resource planning (ERP) applications — particularly SAP users. ", - "meta": { - "refs": ["https://securityintelligence.com/tag/shiz-trojan-malware/"] } + }, + { + "meta": { + "refs": [ + "https://attack.mitre.org/wiki/Software/S0049" + ] + }, + "description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.", + "value": "GeminiDuke" + }, + { + "meta": { + "derivated-from": [ + "Shiz" + ], + "refs": [ + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" + ] + }, + "description": "Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.", + "value": "Shifu" + }, + { + "meta": { + "refs": [ + "https://securityintelligence.com/tag/shiz-trojan-malware/" + ] + }, + "description": "The new variant of the Shiz Trojan malware targets mission-critical enterprise resource planning (ERP) applications — particularly SAP users. ", + "value": "Shiz" + }, + { + "meta": { + "synonyms": [ + "MM Core backdoor", + "BigBoss", + "SillyGoose", + "BaneChant", + "StrangeLove" + ], + "refs": [ + "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" + ] + }, + "description": "Also known as “BaneChant”, MM Core is a file-less APT which is executed in memory by a downloader component. It was first reported in 2013 under the version number “2.0-LNK” where it used the tag “BaneChant” in its command-and-control (C2) network request. A second version “2.1-LNK” with the network tag “StrangeLove” was discovered shortly after.", + "value": "MM Core" } - ] + ], + "version": 11, + "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", + "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", + "author": [ + "Alexandre Dulaunoy", + "Florian Roth", + "Timo Steffens", + "Christophe Vandeplas" + ], + "source": "MISP Project", + "type": "tool", + "name": "Tool" } From 649c043ad27b1304f46810fba4e11742163cf8b0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 9 Jan 2017 23:07:57 +0100 Subject: [PATCH 08/91] Import manually cert-eu contribution - Fix the meta attributes (like the motive field ) to be within meta and not outside - Remove some "null" values that seems to come from previous tests - Pretty-print the Javascript (better for diffing) --- clusters/threat-actor.json | 230 +++++++++++++++++++++++++++---------- 1 file changed, 168 insertions(+), 62 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 285d0409..55357764 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -410,7 +410,8 @@ "GREF", "Playful Dragon", "APT 15", - "Metushy" + "Metushy", + "Social Network Team" ], "country": "CN", "refs": [ @@ -430,9 +431,11 @@ ], "refs": [ "http://www.crowdstrike.com/blog/whois-anchor-panda/" - ] + ], + "Motive": "Espionage" }, - "value": "Anchor Panda" + "value": "Anchor Panda", + "Description": "PLA Navy" }, { "meta": { @@ -457,7 +460,8 @@ "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/" ] }, - "value": "Ice Fog" + "value": "Ice Fog", + "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well." }, { "meta": { @@ -467,7 +471,8 @@ ], "country": "CN" }, - "value": "Pitty Panda" + "value": "Pitty Panda", + "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials" }, { "value": "Roaming Tiger", @@ -497,16 +502,13 @@ }, { "meta": { - "country": "CN" + "country": "CN", + "synonyms": [ + "Shrouded Crossbow" + ] }, "value": "Radio Panda" }, - { - "meta": { - "country": "CN" - }, - "value": "Dagger Panda" - }, { "value": "APT.3102", "meta": { @@ -598,7 +600,8 @@ "Group 26" ] }, - "value": "Flying Kitten" + "value": "Flying Kitten", + "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry." }, { "meta": { @@ -622,10 +625,12 @@ "synonyms": [ "Newscaster", "Parastoo", - "Group 83" + "Group 83", + "Newsbeef" ] }, - "value": "Charming Kitten" + "value": "Charming Kitten", + "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors." }, { "meta": { @@ -637,7 +642,7 @@ "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" ] }, - "description": "An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.", + "description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.", "value": "Magic Kitten" }, { @@ -663,13 +668,16 @@ "meta": { "country": "IR", "synonyms": [ - "Operation Cleaver" + "Operation Cleaver", + "Tarh Andishan", + "Alibaba" ], "refs": [ "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" ] }, - "value": "Cleaver" + "value": "Cleaver", + "description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies." }, { "meta": { @@ -682,9 +690,11 @@ "country": "TN", "synonyms": [ "FallagaTeam" - ] + ], + "motive": "Hacktivism-Nationalist" }, - "value": "Rebel Jackal" + "value": "Rebel Jackal", + "description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region." }, { "meta": { @@ -707,7 +717,8 @@ "TG-4127", "Group-4127", "STRONTIUM", - "Grey-Cloud" + "Grey-Cloud", + "TAG_0700" ], "country": "RU", "refs": [ @@ -754,7 +765,10 @@ "WRAITH", "Turla Team", "Uroburos", - "Pfinet" + "Pfinet", + "TAG_0530", + "KRYPTON", + "Hippo Team" ], "refs": [ "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", @@ -788,7 +802,8 @@ "Sandworm Team", "Black Energy", "BlackEnergy", - "Quedagh" + "Quedagh", + "Voodoo Bear" ], "country": "RU", "refs": [ @@ -800,8 +815,10 @@ { "meta": { "country": "RU", - "refs": ["http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/"] - }, + "refs": [ + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" + ] + }, "value": "TeleBots", "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group." }, @@ -811,7 +828,8 @@ "Carbanak", "Carbon Spider" ], - "country": "RU" + "country": "RU", + "motive": "Cybercrime" }, "description": "Groups targeting financial organizations or people with significant financial assets.", "value": "Anunak" @@ -820,7 +838,8 @@ "meta": { "synonyms": [ "TeamSpy", - "Team Bear" + "Team Bear", + "Berserk Bear" ], "country": "RU", "refs": [ @@ -846,7 +865,10 @@ }, { "meta": { - "country": "RO" + "country": "RO", + "synonyms": [ + "FIN4" + ] }, "value": "Wolf Spider" }, @@ -854,13 +876,15 @@ "meta": { "country": "RU" }, - "value": "Boulder Bear" + "value": "Boulder Bear", + "description": "First observed activity in December 2013." }, { "meta": { "country": "RU" }, - "value": "Shark Spider" + "value": "Shark Spider", + "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets." }, { "meta": { @@ -876,7 +900,10 @@ "meta": { "country": "KP", "synonyms": [ - "OperationTroy" + "OperationTroy", + "Guardian of Peace", + "GOP", + "WHOis Team" ], "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" @@ -931,7 +958,8 @@ "country": "FR", "synonyms": [ "Animal Farm" - ] + ], + "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007." } }, { @@ -967,7 +995,10 @@ ], "country": "UAE", "value": "Stealth Falcon", - "description": "Group targeting Emirati journalists, activists, and dissidents." + "description": "Group targeting Emirati journalists, activists, and dissidents.", + "synonyms": [ + "FruityArmor" + ] }, { "synonyms": [ @@ -1007,7 +1038,8 @@ "synonyms": [ "Chinastrats", "Patchwork", - "Monsoon" + "Monsoon", + "Sarit" ], "refs": [ "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", @@ -1042,7 +1074,8 @@ "refs": [ "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/", "https://attack.mitre.org/wiki/Groups" - ] + ], + "country": "BR" }, "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.", "value": "Poseidon Group" @@ -1088,9 +1121,12 @@ { "meta": { "refs": [ - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://attack.mitre.org/wiki/Group/G0013" + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://attack.mitre.org/wiki/Group/G0013" + ], + "synonyms": [ + "APT 30" ], - "synonyms": ["APT 30"], "country": "CN" }, "value": "APT30", @@ -1107,7 +1143,8 @@ "meta": { "refs": [ "https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/" - ] + ], + "country": "RU" }, "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.", "value": "GCMAN" @@ -1116,7 +1153,8 @@ "meta": { "refs": [ "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" - ] + ], + "country": "CN" }, "description": "Suckfly is a China-based threat group that has been active since at least 2014", "value": "Suckfly" @@ -1141,7 +1179,8 @@ "meta": { "refs": [ "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users" - ] + ], + "country": "TU" }, "value": "StrongPity" }, @@ -1161,9 +1200,11 @@ "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" - ] + ], + "country": "IR" }, - "value": "OilRig" + "value": "OilRig", + "description": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015." }, { "meta": { @@ -1181,7 +1222,8 @@ "Coldriver", "Reuse team", "Malware reusers", - "Callisto Group" + "Callisto Group", + "Dancing Salome" ] }, "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.", @@ -1190,60 +1232,124 @@ { "value": "TERBIUM", "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", - "meta" : { - "refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"] + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" + ] } }, { "value": "Molerats", "description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”", "meta": { - "refs": ["https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"], - "synonyms": ["Gaza Hackers Team", "Operation Molerats"] - }}, + "refs": [ + "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html" + ], + "synonyms": [ + "Gaza Hackers Team", + "Operation Molerats", + "Extreme Jackal" + ] + } + }, { "value": "PROMETHIUM", "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", "meta": { - "refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"] - } + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + ] + } }, { "value": "NEODYMIUM", "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", "meta": { - "refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"] - } + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + ] + } }, { "value": "Packrat", "description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.", "meta": { - "refs": ["https://citizenlab.org/2015/12/packrat-report/"] - } + "refs": [ + "https://citizenlab.org/2015/12/packrat-report/" + ] + } }, { "value": "Cadelle", "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", "meta": { - "refs": ["https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"], - "country": "IR" + "refs": [ + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + ], + "country": "IR" } }, { "value": "Chafer", "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", "meta": { - "refs": ["https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"], - "country": "IR" - } + "refs": [ + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + ], + "country": "IR" + } }, { "value": "PassCV", "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on. ", "meta": { - "refs": ["https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"] - } + "refs": [ + "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" + ], + "country": "CN" + } + }, + { + "value": "Sath-ı Müdafaa", + "description": "A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.", + "meta": { + "country": "TU", + "motive": "Hacktivists-Nationalists" + } + }, + { + "value": "Aslan Neferler Tim", + "description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam", + "meta": { + "country": "TU", + "synonyms": [ + "Lion Soldiers Team", + "Phantom Turk" + ], + "motive": "Hacktivists-Nationalists" + } + }, + { + "value": "Ayyıldız Tim", + "description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.", + "meta": { + "country": "TU", + "synonyms": [ + "Crescent and Star" + ], + "motive": "Hacktivists-Nationalists" + } + }, + { + "value": "TurkHackTeam", + "description": "Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ", + "meta": { + "country": "TU", + "synonyms": [ + "Turk Hack Team" + ], + "motive": "Hacktivists-Nationalists" + } } ], "name": "Threat actor", @@ -1258,5 +1364,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 10 + "version": 11 } From 733f06585106979c63aa7c702fb835f48b8d67b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Wed, 11 Jan 2017 16:14:45 +0100 Subject: [PATCH 09/91] begin preventive-measure galaxy --- clusters/preventive-measure.json | 57 ++++++++++++++++++++++++++++++++ galaxies/preventive-measure.json | 7 ++++ 2 files changed, 64 insertions(+) create mode 100644 clusters/preventive-measure.json create mode 100644 galaxies/preventive-measure.json diff --git a/clusters/preventive-measure.json b/clusters/preventive-measure.json new file mode 100644 index 00000000..1dcdc384 --- /dev/null +++ b/clusters/preventive-measure.json @@ -0,0 +1,57 @@ +{ + "values": [ + { + "meta": { + "refs": [ + "http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7." + ], + "Complexity": "Medium", + "Effectiveness": "High", + "Impact": "Low", + "Type": "Recovery" + }, + "value": "Backup and Restore Process", + "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups. + (Schrödinger's backup - it is both existent and non-existent until you've tried a restore" + }, + { + "meta": { + "refs": [ + "https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US", + "https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter" + ], + "Complexity": "Low", + "Effectiveness": "High", + "Impact": "Low", + "Type": "GPO" + }, + "value": "Block Macros", + "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes: + A.) Open downloaded documents in 'Protected View' + B.) Open downloaded documents and block all macros" + }, + { + "meta": { + "refs": [ + "http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html" + ], + "Complexity": "Low", + "Effectiveness": "Medium", + "Impact": "Medium", + "Type": "GPO" + }, + "value": "Disable WSH", + "description": "Disable Windows Script Host" + }, + ], + "name": "Preventive Measure", + "type": "preventive-measure", + "source": "MISP Project", + "authors": [ + "Various" + ], + "description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.", + "uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65", + "version": 1 +} + diff --git a/galaxies/preventive-measure.json b/galaxies/preventive-measure.json new file mode 100644 index 00000000..9046977d --- /dev/null +++ b/galaxies/preventive-measure.json @@ -0,0 +1,7 @@ +{ + "name": "Preventive Measure", + "type": "preventive-measure", + "description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.", + "version": 1, + "uuid": "8168995b-adcd-4684-9e37-206c5771505a" +} From a42d4c4f4f45102ded4093f3868479a26dbf4607 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 11 Jan 2017 22:46:04 +0100 Subject: [PATCH 10/91] Shamoon added --- clusters/tool.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 04a8e659..6988a9ce 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1147,9 +1147,16 @@ }, "description": "Also known as “BaneChant”, MM Core is a file-less APT which is executed in memory by a downloader component. It was first reported in 2013 under the version number “2.0-LNK” where it used the tag “BaneChant” in its command-and-control (C2) network request. A second version “2.1-LNK” with the network tag “StrangeLove” was discovered shortly after.", "value": "MM Core" + }, + { + "meta": { + "refs": ["https://en.wikipedia.org/wiki/Shamoon"] + }, + "description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]", + "value": "Shamoon" } ], - "version": 11, + "version": 12, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": [ From 8c740065c023d79c77c5b343708d24a43eaa3e76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Thu, 12 Jan 2017 11:48:10 +0100 Subject: [PATCH 11/91] complete preventive-measure --- clusters/preventive-measure.json | 182 +++++++++++++++++++++++++++++-- 1 file changed, 175 insertions(+), 7 deletions(-) diff --git a/clusters/preventive-measure.json b/clusters/preventive-measure.json index 1dcdc384..491a24aa 100644 --- a/clusters/preventive-measure.json +++ b/clusters/preventive-measure.json @@ -11,8 +11,7 @@ "Type": "Recovery" }, "value": "Backup and Restore Process", - "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups. - (Schrödinger's backup - it is both existent and non-existent until you've tried a restore" + "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore" }, { "meta": { @@ -26,9 +25,7 @@ "Type": "GPO" }, "value": "Block Macros", - "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes: - A.) Open downloaded documents in 'Protected View' - B.) Open downloaded documents and block all macros" + "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros" }, { "meta": { @@ -41,8 +38,180 @@ "Type": "GPO" }, "value": "Disable WSH", - "description": "Disable Windows Script Host" + "description": "Disable Windows Script Host", + "Possible Issues": "Administrative VBS scripts on Workstations" }, + { + "meta": { + "Complexity": "Low", + "Effectiveness": "Medium", + "Impact": "Low", + "Type": "Mail Gateway" + }, + "value": "Filter Attachments Level 1", + "description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub" + }, + { + "meta": { + "Complexity": "Low", + "Effectiveness": "High", + "Impact": "High", + "Type": "Mail Gateway" + }, + "value": "Filter Attachments Level 2", + "description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm", + "Possible Issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) " + }, + { + "meta": { + "refs": [ + "http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/", + "http://www.thirdtier.net/ransomware-prevention-kit/" + ], + "Complexity": "Medium", + "Effectiveness": "Medium", + "Impact": "Medium", + "Type": "GPO" + }, + "value": "Restrict program execution", + "description": "Block all program executions from the %LocalAppData% and %AppData% folder", + "Possible Issues": "Web embedded software installers" + }, + { + "meta": { + "refs": [ + "http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm" + ], + "Complexity": "Low", + "Effectiveness": "Low", + "Impact": "Low", + "Type": "User Assistence" + }, + "value": "Show File Extensions", + "description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")" + }, + { + "meta": { + "refs": [ + "https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx" + ], + "Complexity": "Low", + "Effectiveness": "Medium", + "Impact": "Low", + "Type": "GPO" + }, + "value": "Enforce UAC Prompt", + "description": "Enforce administrative users to confirm an action that requires elevated rights", + "Possible Issues": "administrator resentment" + }, + { + "meta": { + "Complexity": "Medium", + "Effectiveness": "Medium", + "Impact": "Medium", + "Type": "Best Practice" + }, + "value": "Remove Admin Privileges", + "description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.", + "Possible Issues": "igher administrative costs" + }, + { + "meta": { + "Complexity": "Medium", + "Effectiveness": "Low", + "Impact": "Low", + "Type": "Best Practice" + }, + "value": "Restrict Workstation Communication", + "description": "Activate the Windows Firewall to restrict workstation to workstation communication" + }, + { + "meta": { + "Complexity": "Medium", + "Effectiveness": "High", + "Type": "Advanced Malware Protection" + }, + "value": "Sandboxing Email Input", + "description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis" + }, + { + "meta": { + "Complexity": "Medium", + "Effectiveness": "Medium", + "Type": "3rd Party Tools" + }, + "value": "Execution Prevention", + "description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor" + }, + { + "meta": { + "refs": [ + "https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/" + ], + "Complexity": "Low", + "Effectiveness": "Medium", + "Impact": "Medium", + "Type": "GPO" + }, + "value": "Change Default \"Open With\" to Notepad", + "description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer", + "Possible Issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts." + }, + { + "meta": { + "refs": [ + "http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm" + ], + "Complexity": "Low", + "Effectiveness": "Medium", + "Impact": "Low", + "Type": "Monitoring" + }, + "value": "File Screening", + "description": "Server-side file screening with the help of File Server Resource Manager" + }, + { + "meta": { + "refs": [ + "https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx", + "http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx" + ], + "Complexity": "Medium", + "Effectiveness": "Medium", + "Impact": "Medium", + "Type": "GPO" + }, + "value": "Restrict program execution #2", + "description": "Block program executions (AppLocker)", + "Possible Issues": "Configure & test extensively" + }, + { + "meta": { + "refs": [ + "www.microsoft.com/emet", + "http://windowsitpro.com/security/control-emet-group-policy" + ], + "Complexity": "Medium", + "Effectiveness": "Medium", + "Impact": "Low", + "Type": "GPO" + }, + "value": "EMET", + "description": "Detect and block exploitation techniques" + }, + { + "meta": { + "refs": [ + "https://twitter.com/JohnLaTwC/status/799792296883388416" + ], + "Complexity": "Medium", + "Effectiveness": "Low", + "Impact": "Low", + "Type": "3rd Party Tools" + }, + "value": "Sysmon", + "description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring" + } ], "name": "Preventive Measure", "type": "preventive-measure", @@ -54,4 +223,3 @@ "uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65", "version": 1 } - From e4f4c9e19185555c95458f255a9a23afba3ab2c6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 12 Jan 2017 22:40:31 +0100 Subject: [PATCH 12/91] fix: Preventive measures added. --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8036b78b..ef2c0252 100644 --- a/README.md +++ b/README.md @@ -16,11 +16,12 @@ to localized information (which is not shared) or additional information (that c # Available clusters -- [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years -- [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft +- [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years. +- [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft. +- [clusters/preventive-measure.json](clusters/preventive-measure.json) - Preventive measures. - [clusters/tds.json](clusters/tds.json) - TDS is a list of Traffic Direction System used by adversaries. - [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP -- [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. MISP +- [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. # Available Vocabularies From 7ede54c76c91edd4b1656b2e601b9b7771ffac23 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 13 Jan 2017 08:18:41 +0100 Subject: [PATCH 13/91] "the shoemaker's son always goes barefoot" Regin added --- clusters/tool.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 6988a9ce..8a9858b7 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -359,7 +359,12 @@ "value": "FireMalv" }, { - "value": "Regin" + "value": "Regin", + "description": "Regin (also known as Prax or WarriorPride) is a sophisticated malware toolkit revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download including malware discovered at Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but that some of the earliest samples date from 2003. The name Regin is first found on the VirusTotal website on 9 March 2011.", + "meta": { + "refs": ["https://en.wikipedia.org/wiki/Regin_(malware)"], + "synonyms": ["Prax","WarriorPride"] + } }, { "value": "Duqu" @@ -1156,7 +1161,7 @@ "value": "Shamoon" } ], - "version": 12, + "version": 13, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": [ From 19406277d4b83370163a36b65f2d860a49f0d813 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 13 Jan 2017 08:23:03 +0100 Subject: [PATCH 14/91] Equation Group added --- clusters/threat-actor.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 55357764..0caf168c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1350,6 +1350,14 @@ ], "motive": "Hacktivists-Nationalists" } + }, + { + "value": "Equation Group", + "description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame", + "meta": { + "country": "US", + "refs": ["https://en.wikipedia.org/wiki/Equation_Group"] + } } ], "name": "Threat actor", @@ -1364,5 +1372,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 11 + "version": 12 } From edea2d25ee8a9ad40141a14ccc05e64ad5225b91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Mon, 16 Jan 2017 12:08:20 +0100 Subject: [PATCH 15/91] add APT28's tools --- clusters/tool.json | 79 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 76 insertions(+), 3 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 8a9858b7..1d4a41b6 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -303,13 +303,86 @@ "value": "CORESHELL" }, { - "value": "CHOPSTICK" + "value": "CHOPSTICK", + "description": "backdoor", + "meta": { + "synonyms": [ + "Xagent", + "webhp", + "SPLM", + "(.v2 fysbis)" + ], + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ] + } }, { - "value": "SOURFACE" + "value": "EVILTOSS", + "description": "backdoor", + "meta": { + "synonyms": [ + "Sedreco", + "AZZY", + "Xagent", + "ADVSTORESHELL", + "NETUI" + ], + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ] + } }, { - "value": "OLDBAIT" + "value": "GAMEFISH", + "description": "backdoor", + "meta": { + "synonyms": [ + "Sednit", + "Seduploader", + "JHUHUGIT", + "Sofacy" + ], + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ] + } + }, + { + "value": "SOURFACE", + "description": "downloader - Older version of CORESHELL", + "meta": { + "synonyms": [ + "Sofacy" + ], + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ] + } + }, + { + "value": "OLDBAIT", + "description": "credential harvester", + "meta": { + "synonyms": [ + "Sasfis" + ], + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ] + } + }, + { + "value": "CORESHELL", + "description": "downloader - Newer version of SOURFACE", + "meta": { + "synonyms": [ + "Sofacy" + ], + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ] + } }, { "value": "Havex RAT", From 18153f31511fb5eb4e8cf5d4fb959b846cabef46 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 17 Jan 2017 20:55:27 +0100 Subject: [PATCH 16/91] GhostAdmin added --- clusters/tool.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 6988a9ce..b224bd47 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1154,9 +1154,16 @@ }, "description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]", "value": "Shamoon" + }, + { + "value": "GhostAdmin", + "description": "According to MalwareHunterTeam and other researchers that have looked at the malware's source code, GhostAdmin seems to be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.", + "meta": { + "refs": ["https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/"] + } } ], - "version": 12, + "version": 13, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": [ From 44cc53d9567087385b61a0cb096b63767814cb29 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 19 Jan 2017 08:30:46 +0100 Subject: [PATCH 17/91] EyePyramid added --- clusters/tool.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index e892f95a..6b156f90 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1239,9 +1239,17 @@ "meta": { "refs": ["https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/"] } + }, + { + "value": " EyePyramid Malware", + "description": "Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)", + "meta": { + "refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/"], + "country": "IT" + } } ], - "version": 13, + "version": 14, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": [ From 8987006c5d1d4a9266bfbac3e9883914ae909254 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 19 Jan 2017 14:16:55 +0100 Subject: [PATCH 18/91] LuminosityLink RAT added --- clusters/tool.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 6b156f90..06362480 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1247,9 +1247,16 @@ "refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/"], "country": "IT" } + }, + { + "value": "LuminosityLink", + "description": "LuminosityLink is a malware family costing $40 that purports to be a system administration utility", + "meta": { + "refs": ["http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/"] + } } ], - "version": 14, + "version": 15, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": [ From 8ed737402811194a08a724dd97519f1cf2a8e7cb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 20 Jan 2017 15:31:25 +0100 Subject: [PATCH 19/91] Tavdig was missing --- clusters/tool.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 06362480..ded44802 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -207,7 +207,12 @@ "value": "Agent.dne" }, { - "value": "Wipbot" + "value": "Wipbot", + "description": "Waterbug is the name given to the actors who use the malware tools Trojan.Wipbot (also known as Tavdig and Epic Turla)", + "meta": { + "synonyms": ["Tavdig", "Epic Turla"], + "refs": ["https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf"] + } }, { "value": "Turla" @@ -1256,7 +1261,7 @@ } } ], - "version": 15, + "version": 16, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": [ From abca7a02d04eb547383515c1a872d1ce24a45c6d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 23 Jan 2017 16:20:09 +0100 Subject: [PATCH 20/91] Greenbug added --- clusters/threat-actor.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0caf168c..82f390bc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1358,6 +1358,13 @@ "country": "US", "refs": ["https://en.wikipedia.org/wiki/Equation_Group"] } + }, + { + "value": "Greenbug", + "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", + "meta": { + "refs": ["https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"] + } } ], "name": "Threat actor", @@ -1372,5 +1379,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 12 + "version": 13 } From d09b25f2a071b92167176bdb972cc1edda43f30b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 25 Jan 2017 19:58:50 +0100 Subject: [PATCH 21/91] fix: BARIUM and LEAD added --- clusters/microsoft-activity-group.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 319fe979..116c4e13 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -69,6 +69,19 @@ }, "value": "PLATINUM", "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat." + }, + { + "value": "BARIUM", + "description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.", + "meta": { + "refs": ["https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"] + } + }, + { + "value": "LEAD", + "description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD’s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD’s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.", + "meta": { + "refs": ["https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"] } } ], "name": "Microsoft Activity Group actor", @@ -79,6 +92,6 @@ ], "description": "Activity groups as described by Microsoft", "uuid": "28b5e55d-acba-4748-a79d-0afa3512689a", - "version": 1 + "version": 2 } From af16b7c6a16e6a516923f37c2d45ef6e3d02f348 Mon Sep 17 00:00:00 2001 From: cgi Date: Thu, 26 Jan 2017 11:23:37 +0100 Subject: [PATCH 22/91] Adding Zeus to tools --- clusters/tool.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index ded44802..d583a212 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1194,6 +1194,21 @@ "description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.", "value": "GeminiDuke" }, + { + "meta": { + "synonyms": [ + "Trojan.Zbot", + "Zbot", + "ZeuS" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Zeus_(malware)", + "https://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99" + ] + }, + "description": "Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. The Trojan is created using a Trojan-building toolkit.", + "value": "Zeus" + }, { "meta": { "derivated-from": [ From 7460910673db9fb8adc1586b3db14d3a84dcf243 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Fri, 27 Jan 2017 16:28:06 +0100 Subject: [PATCH 23/91] add csv to galaxy converter --- tools/csv_to_galaxy.py | 83 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 tools/csv_to_galaxy.py diff --git a/tools/csv_to_galaxy.py b/tools/csv_to_galaxy.py new file mode 100644 index 00000000..8f3e99c2 --- /dev/null +++ b/tools/csv_to_galaxy.py @@ -0,0 +1,83 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +import csv +import argparse +import uuid +import json + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description='CSV to Galaxy') + parser.add_argument("-c", "--csv", required=True, help="input csv") + parser.add_argument("-v", "--value", type=int, required=True, help="number of the column with the value") + parser.add_argument("-e", "--value_description", type=int, help="number of the column with description, if not defined, all other data wil be concataned") + parser.add_argument("-w", "--version", type=int, help="version of the galaxy") + parser.add_argument("-d", "--description", help="description of the galaxy") + parser.add_argument("-a", "--author", help="author of the galaxy") + parser.add_argument("-s", "--source", help="source of the galaxy") + parser.add_argument("-t", "--type", help="type of galaxy, also the name of the generated json") + parser.add_argument("-n", "--name", help="name of the galaxy") + parser.add_argument("-u", "--title", action='store_true', help="set it if the first line contains the name of the columns") + + args = parser.parse_args() + + values = [] + if args.title is None: + args.title = False + + with open(args.csv, newline='') as csvfile: + csvreader = csv.reader(csvfile, delimiter=',', quotechar='"') + for data in csvreader: + if args.title: + args.title = False + continue + temp = {} + temp["value"] = data[args.value] + if args.value_description is not None: + temp["description"] = data[args.value_description] + else: + temp["description"] = "" + for i in range(len(data)): + if i != args.value and data[i] != "": + temp["description"] = temp["description"] + data[i] + "; " + values.append(temp) + + galaxy = {} + galaxy["values"] = values + + if args.version is not None: + galaxy["version"] = args.version + else: + galaxy["version"] = 1 + + galaxy["uuid"] = str(uuid.uuid4()) + + if args.description is not None: + galaxy["description"] = args.description + else: + galaxy["description"] = "automagically generated galaxy" + + if args.author is not None: + galaxy["authors"] = [args.author] + else: + galaxy["authors"] = ["authorname"] + + if args.source is not None: + galaxy["source"] = args.source + else: + galaxy["source"] = "source" + + if args.type is not None: + galaxy["type"] = args.type + else: + galaxy["type"] = "type" + + if args.name is not None: + galaxy["name"] = args.name + else: + galaxy["name"] = "name" + + print (galaxy) + + with open(args.type+'.json', 'w') as outfile: + json.dump(galaxy, outfile) From 5b68ec56db3e5165b18b8ee9d47c1ad9e0cecb77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Mon, 30 Jan 2017 14:41:47 +0100 Subject: [PATCH 24/91] improve csv_to_galaxy --- tools/csv_to_galaxy.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/tools/csv_to_galaxy.py b/tools/csv_to_galaxy.py index 8f3e99c2..5d9c1949 100644 --- a/tools/csv_to_galaxy.py +++ b/tools/csv_to_galaxy.py @@ -10,10 +10,10 @@ if __name__ == '__main__': parser = argparse.ArgumentParser(description='CSV to Galaxy') parser.add_argument("-c", "--csv", required=True, help="input csv") parser.add_argument("-v", "--value", type=int, required=True, help="number of the column with the value") - parser.add_argument("-e", "--value_description", type=int, help="number of the column with description, if not defined, all other data wil be concataned") + parser.add_argument("-e", "--value_description", type=int, nargs='+', help="number of the column with description, if not defined, all other data wil be concataned") parser.add_argument("-w", "--version", type=int, help="version of the galaxy") parser.add_argument("-d", "--description", help="description of the galaxy") - parser.add_argument("-a", "--author", help="author of the galaxy") + parser.add_argument("-a", "--authors", nargs='+', help="author of the galaxy") parser.add_argument("-s", "--source", help="source of the galaxy") parser.add_argument("-t", "--type", help="type of galaxy, also the name of the generated json") parser.add_argument("-n", "--name", help="name of the galaxy") @@ -33,10 +33,11 @@ if __name__ == '__main__': continue temp = {} temp["value"] = data[args.value] + temp["description"] = "" if args.value_description is not None: - temp["description"] = data[args.value_description] + for i in args.value_description: + temp["description"] = temp["description"] + data[i].replace('\n', ' ') + "; " else: - temp["description"] = "" for i in range(len(data)): if i != args.value and data[i] != "": temp["description"] = temp["description"] + data[i] + "; " @@ -57,8 +58,10 @@ if __name__ == '__main__': else: galaxy["description"] = "automagically generated galaxy" - if args.author is not None: - galaxy["authors"] = [args.author] + if args.authors is not None: + galaxy["authors"] = [] + for author in args.authors: + galaxy["authors"].append(author) else: galaxy["authors"] = ["authorname"] From bc05a2aeee339a1e5553bfedba1e89fec77e9dec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Mon, 30 Jan 2017 14:53:08 +0100 Subject: [PATCH 25/91] improve csv_to_galaxy 2 --- tools/csv_to_galaxy.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/csv_to_galaxy.py b/tools/csv_to_galaxy.py index 5d9c1949..6c43df4b 100644 --- a/tools/csv_to_galaxy.py +++ b/tools/csv_to_galaxy.py @@ -36,7 +36,8 @@ if __name__ == '__main__': temp["description"] = "" if args.value_description is not None: for i in args.value_description: - temp["description"] = temp["description"] + data[i].replace('\n', ' ') + "; " + if data[i] != "": + temp["description"] = temp["description"] + data[i].replace('\n', ' ') + "; " else: for i in range(len(data)): if i != args.value and data[i] != "": From da331d6ca6a75ca4a20a56e78194c24227f12811 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Mon, 30 Jan 2017 15:45:20 +0100 Subject: [PATCH 26/91] add ransomware galaxy --- clusters/ransomware.json | 865 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 865 insertions(+) create mode 100644 clusters/ransomware.json diff --git a/clusters/ransomware.json b/clusters/ransomware.json new file mode 100644 index 00000000..d8943dd9 --- /dev/null +++ b/clusters/ransomware.json @@ -0,0 +1,865 @@ +{ + "authors": [ + "authorname" + ], + "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", + "type": "ransomware", + "version": 1, + "name": "Ransomware", + "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", + "values": [ + { + "description": "AES(256); .enc; ", + "value": ".CryptoHasYou." + }, + { + "description": "Sevleg; XOR; .777; ._[timestamp]_$[email]$.777 e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777; ", + "value": "777" + }, + { + "description": "7ev3n-HONE$T; .R4A .R5A; ", + "value": "7ev3n" + }, + { + "description": "AES; .7h9r; ", + "value": "7h9r" + }, + { + "description": "AES (256); .8lock8; ", + "value": "8lock8" + }, + { + "description": ".bin; ", + "value": "Alfa Ransomware" + }, + { + "description": "AES(128); random; random(x5); ", + "value": "Alma Ransomware" + }, + { + "description": "AlphaLocker; AES(256); .encrypt; ", + "value": "Alpha Ransomware" + }, + { + "description": ".amba; ", + "value": "AMBA" + }, + { + "description": ".adk; ", + "value": "Angry Duck" + }, + { + "description": "Fabiansomeware; .encrypted .SecureCrypted .FuckYourData .unavailable .bleepYourFiles .Where_my_files.txt; ", + "value": "Apocalypse" + }, + { + "description": ".encrypted .locked; ", + "value": "ApocalypseVM" + }, + { + "description": ".locky; ", + "value": "AutoLocky" + }, + { + "description": "", + "value": "BadBlock" + }, + { + "description": ".adr; ", + "value": "BaksoCrypt" + }, + { + "description": "Rakhni; AES(256); .id-[ID]_[EMAIL_ADDRESS]; ", + "value": "Bandarchor" + }, + { + "description": "BaCrypt; .bart.zip .bart .perl; ", + "value": "Bart" + }, + { + "description": ".clf; ", + "value": "BitCryptor" + }, + { + "description": "Base64 + String Replacement; .bitstak; ", + "value": "BitStak" + }, + { + "description": "SilentShade; AES (256); .Silent; ", + "value": "BlackShades Crypter" + }, + { + "description": "AES (256); .blocatto; ", + "value": "Blocatto" + }, + { + "description": "Salam!; ", + "value": "Booyah" + }, + { + "description": "AES(256); .lock; ", + "value": "Brazilian" + }, + { + "description": "AES; ", + "value": "BrLock" + }, + { + "description": "", + "value": "Browlock" + }, + { + "description": "GOST; ; ", + "value": "Bucbi" + }, + { + "description": "(.*).encoded.([A-Z0-9]{9}); ", + "value": "BuyUnlockCode" + }, + { + "description": ".cry; ", + "value": "Central Security Treatment Organization" + }, + { + "description": "AES; .cerber .cerber2 .cerber3; ", + "value": "Cerber" + }, + { + "description": ".crypt 4 random characters, e.g., .PzZs, .MKJL; ", + "value": "Chimera" + }, + { + "description": ".clf; ", + "value": "CoinVault" + }, + { + "description": "AES(256); .coverton .enigma .czvxce; ", + "value": "Coverton" + }, + { + "description": ".{CRYPTENDBLACKDC}; ", + "value": "Cryaki" + }, + { + "description": "", + "value": "Crybola" + }, + { + "description": "Moves bytes; .criptiko .criptoko .criptokod .cripttt .aga; ", + "value": "CryFile" + }, + { + "description": "Cry, CSTO; .cry; ", + "value": "CryLocker" + }, + { + "description": "AES(256); ", + "value": "CrypMIC" + }, + { + "description": ".ENCRYPTED; ", + "value": "Crypren" + }, + { + "description": "AES; .crypt38; ", + "value": "Crypt38" + }, + { + "description": "Hidden Tear; AES(256); ", + "value": "Cryptear" + }, + { + "description": "RSA; .scl; id[_ID]email_xerx@usa.com.scl; ", + "value": "CryptFIle2" + }, + { + "description": ".crinf; ", + "value": "CryptInfinite" + }, + { + "description": "AES and RSA; ", + "value": "CryptoBit" + }, + { + "description": "", + "value": "CryptoDefense" + }, + { + "description": "Ranscam; ", + "value": "CryptoFinancial" + }, + { + "description": "AES (256), RSA (1024); .frtrss; ", + "value": "CryptoFortress" + }, + { + "description": ".clf; ", + "value": "CryptoGraphic Locker" + }, + { + "description": "Manamecrypt, Telograph, ROI Locker; AES(256) (RAR implementation); ", + "value": "CryptoHost" + }, + { + "description": "AES-256; .crjoker; ", + "value": "CryptoJoker" + }, + { + "description": ".encrypted .ENC; ", + "value": "CryptoLocker" + }, + { + "description": "[A-F0-9]{8}_luck; ", + "value": "CryptoLuck / YafunnLocker" + }, + { + "description": "Zeta; .code .scl; .id_(ID_MACHINE)_email_xoomx@dr.com_.code .id_*_email_zeta@dr.com .id_(ID_MACHINE)_email_anx@dr.com_.scl; ", + "value": "CryptoMix" + }, + { + "description": "AES; .crptrgr; ", + "value": "CryptoRoger" + }, + { + "description": "AES; .locked; ", + "value": "CryptoShocker" + }, + { + "description": ".CryptoTorLocker2015!; ", + "value": "CryptoTorLocker2015" + }, + { + "description": "no filename change; ", + "value": "CryptoWall 1" + }, + { + "description": "no filename change; ", + "value": "CryptoWall 2" + }, + { + "description": "no filename change; ", + "value": "CryptoWall 3" + }, + { + "description": "., e.g., 27p9k967z.x1nep; ", + "value": "CryptoWall 4" + }, + { + "description": "CryptProjectXXX; .crypt; ", + "value": "CryptXXX" + }, + { + "description": "CryptProjectXXX; .crypt; ", + "value": "CryptXXX 2.0" + }, + { + "description": "UltraDeCrypter UltraCrypter; .crypt .cryp1 .crypz .cryptz random; ", + "value": "CryptXXX 3.0" + }, + { + "description": ".cryp1; ", + "value": "CryptXXX 3.1" + }, + { + "description": "", + "value": "CTB-Faker" + }, + { + "description": "Citroni; RSA(2048); .ctbl ; .([a-z]{6,7}); ", + "value": "CTB-Locker" + }, + { + "description": "AES(256); ", + "value": "CTB-Locker WEB" + }, + { + "description": "my-Little-Ransomware; AES(128); .已加密 .encrypted; ", + "value": "CuteRansomware" + }, + { + "description": "", + "value": "Deadly for a Good Purpose" + }, + { + "description": ".html; ", + "value": "DeCrypt Protect" + }, + { + "description": "AES-256; .ded; ", + "value": "DEDCryptor" + }, + { + "description": "Based on Detox: Calipso We are all Pokemons Nullbyte; AES; ", + "value": "DetoxCrypto" + }, + { + "description": "", + "value": "DirtyDecrypt" + }, + { + "description": "AES(256) in ECB mode, Version 2-4 also RSA; ", + "value": "DMALocker" + }, + { + "description": "AES(256); ", + "value": "DMALocker 3.0" + }, + { + "description": "AES(256); .domino; ", + "value": "Domino" + }, + { + "description": "Cryptear; AES(256); .locked; ", + "value": "EDA2 / HiddenTear" + }, + { + "description": "EduCrypter; .isis .locked; ", + "value": "EduCrypt" + }, + { + "description": "Los Pollos Hermanos; .ha3; ", + "value": "El-Polocker" + }, + { + "description": "Trojan.Encoder.6491; ", + "value": "Encoder.xxxx" + }, + { + "description": "AES (128); .enigma .1txt; ", + "value": "Enigma" + }, + { + "description": ".exotic; ", + "value": "Exotic" + }, + { + "description": "", + "value": "Fairware" + }, + { + "description": ".locked; ", + "value": "Fakben" + }, + { + "description": "Variants: Comrade Circle; AES(128); .fantom; ", + "value": "Fantom" + }, + { + "description": "", + "value": "Fonco" + }, + { + "description": "", + "value": "FSociety" + }, + { + "description": "", + "value": "Fury" + }, + { + "description": "AES (256); .Z81928819; ", + "value": "GhostCrypt" + }, + { + "description": "Purge; Blowfish; .purge; ", + "value": "Globe v1" + }, + { + "description": "Purge; Blowfish; .. e.g.: .7076.docx.okean-1955@india.com.!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg; ", + "value": "Globe v2" + }, + { + "description": "Purge; RC4; .globe or random; ", + "value": "Globe v3" + }, + { + "description": "Variants, from old to latest: Zyklon Locker WildFire locker Hades Locker; AES (256); .locked; .locked, e.g., bill.!ID!8MMnF!ID!.locked; ", + "value": "GNL Locker" + }, + { + "description": ".crypt; !___[EMAILADDRESS]_.crypt; ", + "value": "Gomasom" + }, + { + "description": "", + "value": "Goopic" + }, + { + "description": "", + "value": "Gopher" + }, + { + "description": ".html; ", + "value": "Harasom" + }, + { + "description": "Mamba; Custom (net shares), XTS-AES (disk); ", + "value": "HDDCryptor" + }, + { + "description": ".herbst; ", + "value": "Herbst" + }, + { + "description": "AES(256); .cry ; ", + "value": "Hi Buddy!" + }, + { + "description": "removes extensions; ", + "value": "Hitler" + }, + { + "description": "AES; (encrypted); ", + "value": "HolyCrypt" + }, + { + "description": "Hungarian Locky (Hucky); AES, RSA (hardcoded); .locky; [a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky; ", + "value": "Hucky" + }, + { + "description": "hydracrypt_ID_[\\w]{8}; ", + "value": "HydraCrypt" + }, + { + "description": ".crime; ", + "value": "iLock" + }, + { + "description": ".crime; ", + "value": "iLockLight" + }, + { + "description": "<6 random characters>; ", + "value": "International Police Association" + }, + { + "description": "!ENC; ", + "value": "JagerDecryptor" + }, + { + "description": "Encryptor RaaS, Sarento; RC6 (files), RSA 2048 (RC6 key); ", + "value": "Jeiphoos" + }, + { + "description": "CryptoHitMan (subvariant); AES(256); .btc .kkk .fun .gws .porno .payransom .payms .paymst .AFD .paybtcs .epic .xyz; ", + "value": "Jigsaw" + }, + { + "description": "TripleDES; .locked .css; ", + "value": "Job Crypter" + }, + { + "description": "AES; .encrypted; ", + "value": "KeRanger" + }, + { + "description": "keybtc@inbox_com ; ", + "value": "KeyBTC" + }, + { + "description": "", + "value": "KEYHolder" + }, + { + "description": ".rip; ", + "value": "Killer Locker" + }, + { + "description": "AES; .kimcilware .locked; ", + "value": "KimcilWare" + }, + { + "description": "AES(256); .암호화됨; ", + "value": "Korean" + }, + { + "description": ".kostya; ", + "value": "Kostya" + }, + { + "description": "QC; RSA(2048); .31392E30362E32303136_[ID-KEY]_LSBJ1; .([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5}); ", + "value": "Kozy.Jozy" + }, + { + "description": ".kratos; ", + "value": "KratosCrypt" + }, + { + "description": "AES(256); ", + "value": "KryptoLocker" + }, + { + "description": ".LeChiffre; ", + "value": "LeChiffre" + }, + { + "description": "Linux.Encoder.{0,3}; ", + "value": "Linux.Encoder" + }, + { + "description": "", + "value": "Locker" + }, + { + "description": "AES(128); .locky .zepto .odin .shit .thor .asier .zzzzz .osiris; ([A-F0-9]{32}).locky ([A-F0-9]{32}).zepto ([A-F0-9]{32}).odin ([A-F0-9]{32}).shit ([A-F0-9]{32}).thor ([A-F0-9]{32}).aesir ([A-F0-9]{32}).zzzzz ([A-F0-9]{32}).osiris; ", + "value": "Locky" + }, + { + "description": ".lock93; ", + "value": "Lock93" + }, + { + "description": ".crime; ", + "value": "Lortok" + }, + { + "description": "oor.; ", + "value": "LowLevel04" + }, + { + "description": "", + "value": "Mabouia" + }, + { + "description": "AES(256); .magic; ", + "value": "Magic" + }, + { + "description": "AES(256), RSA (2048); [a-z]{4,6}; ", + "value": "MaktubLocker" + }, + { + "description": "Crypt888; AES; Lock.; ", + "value": "MIRCOP" + }, + { + "description": "AES(256); .fucked, .fuck; ", + "value": "MireWare" + }, + { + "description": "\"Petya's little brother\"; .([a-zA-Z0-9]{4}); ", + "value": "Mischa" + }, + { + "description": "Booyah; AES(256); .locked; ", + "value": "MM Locker" + }, + { + "description": "Yakes CryptoBit; .KEYZ .KEYH0LES; ", + "value": "Mobef" + }, + { + "description": "", + "value": "n1n1n1" + }, + { + "description": "", + "value": "Nagini" + }, + { + "description": "AES (256), RSA; ", + "value": "NanoLocker" + }, + { + "description": "XOR(255) 7zip; .crypted; ", + "value": "Nemucod" + }, + { + "description": "", + "value": "NoobCrypt" + }, + { + "description": "XOR; .odcodc; C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc; ", + "value": "ODCODC" + }, + { + "description": "Vipasana, Cryakl; .cbf; email-[params].cbf; ", + "value": "Offline ransomware" + }, + { + "description": "GPCode; .LOL! .OMG!; ", + "value": "OMG! Ransomware" + }, + { + "description": "", + "value": "Onyx" + }, + { + "description": ".EXE; ", + "value": "Operation Global III" + }, + { + "description": ".padcrypt; ", + "value": "PadCrypt" + }, + { + "description": "XOR; ", + "value": "PClock" + }, + { + "description": "Goldeneye; Modified Salsa20; ", + "value": "Petya" + }, + { + "description": "AES(256); .locked; .locked; ", + "value": "Philadelphia" + }, + { + "description": ".id-[victim_id]-maestro@pizzacrypts.info; ", + "value": "PizzaCrypts" + }, + { + "description": "AES(256); .locked; ", + "value": "PokemonGO" + }, + { + "description": "AES(256); .filock; ", + "value": "Popcorn Time" + }, + { + "description": "AES(256); ", + "value": "Polyglot" + }, + { + "description": "PoshCoder; AES(128); .locky; ", + "value": "PowerWare" + }, + { + "description": "AES, but throws key away, destroys the files; ", + "value": "PowerWorm" + }, + { + "description": "", + "value": "PRISM" + }, + { + "description": ".crypt; ", + "value": "R980" + }, + { + "description": "RAA; .locked; ", + "value": "RAA encryptor" + }, + { + "description": "AES(256); .RDM .RRK .RAD .RADAMANT; ", + "value": "Radamant" + }, + { + "description": "Agent.iih Aura Autoit Pletor Rotor Lamer Isda Cryptokluchen Bandarchor; .locked .kraken .darkness .nochance .oshit .oplata@qq_com .relock@qq_com .crypto .helpdecrypt@ukr.net .pizda@qq_com .dyatel@qq_com _ryp .nalog@qq_com .chifrator@qq_com .gruzin@qq_com .troyancoder@qq_com .encrypted .cry .AES256 .enc .hb15; .coderksu@gmail_com_id[0-9]{2,3} .crypt@india.com.[\\w]{4,12}; ", + "value": "Rakhni" + }, + { + "description": "locked-.[a-zA-Z]{4}; ", + "value": "Rannoh" + }, + { + "description": "", + "value": "Ransom32" + }, + { + "description": "Asymmetric 1024 ; ", + "value": "RansomLock" + }, + { + "description": ".vscrypt .infected .bloc .korrektor; ", + "value": "Rector" + }, + { + "description": "AES(256); .rekt; ", + "value": "RektLocker" + }, + { + "description": ".remind .crashed; ", + "value": "RemindMe" + }, + { + "description": "Curve25519 + ChaCha; .rokku; ", + "value": "Rokku" + }, + { + "description": "samsam.exe MIKOPONI.exe RikiRafael.exe showmehowto.exe; AES(256) + RSA(2096); .encryptedAES .encryptedRSA .encedRSA .justbtcwillhelpyou .btcbtcbtc .btc-help-you .only-we_can-help_you .iwanthelpuuu .notfoundrans .encmywork; ", + "value": "Samas-Samsam" + }, + { + "description": "AES(256) + RSA(2096); .sanction; ", + "value": "Sanction" + }, + { + "description": "Sarah_G@ausi.com___; ", + "value": "Satana" + }, + { + "description": "", + "value": "Scraper" + }, + { + "description": "AES; ", + "value": "Serpico" + }, + { + "description": "Atom; .locked; ", + "value": "Shark" + }, + { + "description": ".shino; ", + "value": "ShinoLocker" + }, + { + "description": "KinCrypt; ", + "value": "Shujin" + }, + { + "description": "AES; .~; ", + "value": "Simple_Encoder" + }, + { + "description": "AES(256); .locked; ", + "value": "SkidLocker / Pompous" + }, + { + "description": ".encrypted; ", + "value": "Smrss32" + }, + { + "description": "AES(256); .RSNSlocked .RSplited; ", + "value": "SNSLocker" + }, + { + "description": ".sport; ", + "value": "Sport" + }, + { + "description": "AES(256); .locked; ", + "value": "Stampado" + }, + { + "description": "AES(256); .locked; ", + "value": "Strictor" + }, + { + "description": "AES(256); .surprise .tzu; ", + "value": "Surprise" + }, + { + "description": "", + "value": "Survey" + }, + { + "description": "", + "value": "SynoLocker" + }, + { + "description": ".szf; ", + "value": "SZFLocker" + }, + { + "description": "Trojan-Ransom.Win32.Telecrypt PDM:Trojan.Win32.Generic; .xcri; ", + "value": "TeleCrypt" + }, + { + "description": "AlphaCrypt; .vvv .ecc .exx .ezz .abc .aaa .zzz .xyz; ", + "value": "TeslaCrypt 0.x - 2.2.0" + }, + { + "description": "AES(256) + ECHD + SHA1; .micro .xxx .ttt .mp3; ", + "value": "TeslaCrypt 3.0+" + }, + { + "description": "AES(256) + ECHD + SHA1; ", + "value": "TeslaCrypt 4.1A" + }, + { + "description": "", + "value": "TeslaCrypt 4.2" + }, + { + "description": "", + "value": "Threat Finder" + }, + { + "description": "Crypt0L0cker (subvariant); AES(256) CBC for files RSA(1024) for AES key uses LibTomCrypt; .Encrypted .enc; ", + "value": "TorrentLocker" + }, + { + "description": "", + "value": "TowerWeb" + }, + { + "description": ".toxcrypt; ", + "value": "Toxcrypt" + }, + { + "description": "Shade XTBL; AES(256); .better_call_saul .xtbl .da_vinci_code .windows10; ", + "value": "Troldesh" + }, + { + "description": "AES(256); .enc; ", + "value": "TrueCrypter" + }, + { + "description": "AES(256); .locked; ", + "value": "Turkish Ransom" + }, + { + "description": "AES; umbrecrypt_ID_[VICTIMID]; ", + "value": "UmbreCrypt" + }, + { + "description": "AES; .H3LL .0x0 .1999; ", + "value": "Ungluk" + }, + { + "description": ".CRRRT .CCCRRRPPP; ", + "value": "Unlock92" + }, + { + "description": "CrypVault Zlader; uses gpg.exe; .vault .xort .trun; ", + "value": "VaultCrypt" + }, + { + "description": "", + "value": "VenisRansomware" + }, + { + "description": "AES(256); .Venusf .Venusp; ", + "value": "VenusLocker" + }, + { + "description": ".exe; ", + "value": "Virlock" + }, + { + "description": "Crysis; AES(256); .CrySiS .xtbl; .id-########.decryptformoney@india.com.xtbl; ", + "value": "Virus-Encoder" + }, + { + "description": ".wflx; ", + "value": "WildFire Locker" + }, + { + "description": "XOR or TEA; .EnCiPhErEd .73i87A .p5tkjw .PoAr2w .fileiscryptedhard .encoderpass .zc3791; ", + "value": "Xorist" + }, + { + "description": ".xrtn; ", + "value": "XRTN " + }, + { + "description": "Zcryptor; .zcrypt; ", + "value": "Zcrypt" + }, + { + "description": ".crypto; ", + "value": "Zimbra" + }, + { + "description": "VaultCrypt CrypVault; RSA; .vault; ", + "value": "Zlader / Russian" + }, + { + "description": "GNL Locker; .zyklon; ", + "value": "Zyklon" + } + ], + "source": "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml" +} From 720246fd3383e5650d3982f5608ab05579cdb9f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Mon, 30 Jan 2017 16:25:40 +0100 Subject: [PATCH 27/91] ransomware galaxy --- README.md | 1 + galaxies/ransomware.json | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 galaxies/ransomware.json diff --git a/README.md b/README.md index ef2c0252..11327fa3 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ to localized information (which is not shared) or additional information (that c - [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years. - [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft. - [clusters/preventive-measure.json](clusters/preventive-measure.json) - Preventive measures. +- [clusters/ransomware.json](clusters/ransomware.json) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml - [clusters/tds.json](clusters/tds.json) - TDS is a list of Traffic Direction System used by adversaries. - [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP - [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. diff --git a/galaxies/ransomware.json b/galaxies/ransomware.json new file mode 100644 index 00000000..d2007a5b --- /dev/null +++ b/galaxies/ransomware.json @@ -0,0 +1,7 @@ +{ + "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", + "type": "ransomware", + "version": 1, + "name": "Ransomware", + "uuid": "3f44af2e-1480-4b6b-9aa8-f9bb21341078", +} From 39c1b0be8d707f2f25367f819ab0722abf1c4d3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Tue, 31 Jan 2017 08:21:31 +0100 Subject: [PATCH 28/91] fix galaxy ##comma## --- galaxies/ransomware.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxies/ransomware.json b/galaxies/ransomware.json index d2007a5b..f8e04a3a 100644 --- a/galaxies/ransomware.json +++ b/galaxies/ransomware.json @@ -3,5 +3,5 @@ "type": "ransomware", "version": 1, "name": "Ransomware", - "uuid": "3f44af2e-1480-4b6b-9aa8-f9bb21341078", + "uuid": "3f44af2e-1480-4b6b-9aa8-f9bb21341078" } From d6cab37977204d29abf6eb7895e382d7cb3b6ae1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Tue, 31 Jan 2017 09:11:26 +0100 Subject: [PATCH 29/91] change author name to 'Various' --- clusters/ransomware.json | 2 +- tools/csv_to_galaxy.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index d8943dd9..c8022201 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -1,6 +1,6 @@ { "authors": [ - "authorname" + "Various" ], "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", "type": "ransomware", diff --git a/tools/csv_to_galaxy.py b/tools/csv_to_galaxy.py index 6c43df4b..9cbf07ef 100644 --- a/tools/csv_to_galaxy.py +++ b/tools/csv_to_galaxy.py @@ -64,7 +64,7 @@ if __name__ == '__main__': for author in args.authors: galaxy["authors"].append(author) else: - galaxy["authors"] = ["authorname"] + galaxy["authors"] = ["Various"] if args.source is not None: galaxy["source"] = args.source From 92bb39265362c975f225c2c0e18d6e794d5718e3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 31 Jan 2017 09:21:19 +0100 Subject: [PATCH 30/91] Flokibot added --- clusters/tool.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index d583a212..62b56990 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1252,7 +1252,7 @@ }, "description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]", "value": "Shamoon" - }, + }, { "value": "GhostAdmin", "description": "According to MalwareHunterTeam and other researchers that have looked at the malware's source code, GhostAdmin seems to be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.", @@ -1274,9 +1274,17 @@ "meta": { "refs": ["http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/"] } + }, + { + "value": "Flokibot", + "description": "", + "meta": { + "refs": ["https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/"], + "synonyms": ["Floki Bot"] + } } ], - "version": 16, + "version": 17, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": [ From 30d9233db65360f6ec5f6550c18f3a4bb48dd620 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 3 Feb 2017 22:26:40 +0100 Subject: [PATCH 31/91] ZeroT added --- clusters/tool.json | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 62b56990..cd3e1e21 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1277,14 +1277,21 @@ }, { "value": "Flokibot", - "description": "", + "description": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.", "meta": { - "refs": ["https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/"], + "refs": ["https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/"], "synonyms": ["Floki Bot"] } + }, + { + "value": "ZeroT", + "description": "Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.", + "meta": { + "refs": ["https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"] + } } ], - "version": 17, + "version": 18, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": [ From 8817d4869dd72bd230ad7bf0ce2e1992623da307 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Thu, 9 Feb 2017 08:46:21 +0100 Subject: [PATCH 32/91] add Erebus ransomware --- clusters/ransomware.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index c8022201..28608c2e 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -859,6 +859,10 @@ { "description": "GNL Locker; .zyklon; ", "value": "Zyklon" + }, + { + "description": "AES; ", + "value": "Erebus" } ], "source": "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml" From 5442a262ab8cf298c8d3c4f6011604529a40342c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 10 Feb 2017 10:09:37 +0100 Subject: [PATCH 33/91] StreamEX added --- clusters/tool.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index cd3e1e21..beb3906a 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1289,9 +1289,16 @@ "meta": { "refs": ["https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"] } + }, + { + "value": "StreamEx", + "description": "Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples ‘stream’, combined with the dropper functionality to append ‘ex’ to the DLL file name. The StreamEx family has the ability to access and modify the user’s file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild. ", + "meta": { + "refs": ["https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"] + } } ], - "version": 18, + "version": 19, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": [ From 47ac01ee96d7ea9c14d3032fcefbbcffda5cbf00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 13 Feb 2017 18:32:53 +0100 Subject: [PATCH 34/91] Initial Json schema --- .travis.yml | 21 ++++---- galaxies/exploit-kit.json | 10 ++-- galaxies/microsoft-activity-group.json | 10 ++-- galaxies/preventive-measure.json | 10 ++-- galaxies/tds.json | 10 ++-- galaxies/threat-actor.json | 10 ++-- galaxies/tool.json | 10 ++-- jq_all_the_things.sh | 13 +++++ schema.json | 72 ++++++++++++++++++++++++++ validate_all.sh | 21 ++++++++ 10 files changed, 146 insertions(+), 41 deletions(-) create mode 100755 jq_all_the_things.sh create mode 100644 schema.json create mode 100755 validate_all.sh diff --git a/.travis.yml b/.travis.yml index 96744ae1..c413fe70 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,17 +1,16 @@ -language: bash +language: python + +cache: pip + +python: + - "3.6" sudo: required -dist: trusty - install: - - git clone https://github.com/stedolan/jq.git - - pushd jq - - autoreconf -i - - ./configure --disable-maintainer-mode - - make - - sudo make install - - popd + - sudo apt-get update -qq + - sudo apt-get install -y -qq jq moreutils + - pip install jsonschema script: - - cat */*.json | jq . + - ./validate_all.sh diff --git a/galaxies/exploit-kit.json b/galaxies/exploit-kit.json index f86ddf16..47074487 100644 --- a/galaxies/exploit-kit.json +++ b/galaxies/exploit-kit.json @@ -1,7 +1,7 @@ { - "type" : "exploit-kit", - "name" : "Exploit-Kit", - "description":"Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", - "version": 2, - "uuid": "6ab240ec-bd79-11e6-a4a6-cec0c932ce01" + "type": "exploit-kit", + "name": "Exploit-Kit", + "description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", + "version": 2, + "uuid": "6ab240ec-bd79-11e6-a4a6-cec0c932ce01" } diff --git a/galaxies/microsoft-activity-group.json b/galaxies/microsoft-activity-group.json index 6ddcfb0a..9bfa2a3c 100644 --- a/galaxies/microsoft-activity-group.json +++ b/galaxies/microsoft-activity-group.json @@ -1,7 +1,7 @@ { - "name": "Microsoft Activity Group actor", - "type": "microsoft-activity-group", - "description": "Activity groups as described by Microsoft", - "version": 1, - "uuid": "74c869e8-0b8e-4e5f-96e6-cd992e07a505" + "name": "Microsoft Activity Group actor", + "type": "microsoft-activity-group", + "description": "Activity groups as described by Microsoft", + "version": 1, + "uuid": "74c869e8-0b8e-4e5f-96e6-cd992e07a505" } diff --git a/galaxies/preventive-measure.json b/galaxies/preventive-measure.json index 9046977d..40b5d914 100644 --- a/galaxies/preventive-measure.json +++ b/galaxies/preventive-measure.json @@ -1,7 +1,7 @@ { - "name": "Preventive Measure", - "type": "preventive-measure", - "description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.", - "version": 1, - "uuid": "8168995b-adcd-4684-9e37-206c5771505a" + "name": "Preventive Measure", + "type": "preventive-measure", + "description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.", + "version": 1, + "uuid": "8168995b-adcd-4684-9e37-206c5771505a" } diff --git a/galaxies/tds.json b/galaxies/tds.json index 2763cf0f..e773d3ae 100644 --- a/galaxies/tds.json +++ b/galaxies/tds.json @@ -1,7 +1,7 @@ { - "type" : "tds", - "name" : "TDS", - "description": "TDS is a list of Traffic Direction System used by adversaries", - "version": 2, - "uuid": "1b9a7d8e-bd7a-11e6-a4a6-cec0c932ce01" + "type": "tds", + "name": "TDS", + "description": "TDS is a list of Traffic Direction System used by adversaries", + "version": 2, + "uuid": "1b9a7d8e-bd7a-11e6-a4a6-cec0c932ce01" } diff --git a/galaxies/threat-actor.json b/galaxies/threat-actor.json index 9b1a57bd..d5f64ec3 100644 --- a/galaxies/threat-actor.json +++ b/galaxies/threat-actor.json @@ -1,7 +1,7 @@ { - "name" : "Threat Actor", - "type" : "threat-actor", - "description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour.", - "version": 1, - "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3" + "name": "Threat Actor", + "type": "threat-actor", + "description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour.", + "version": 1, + "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3" } diff --git a/galaxies/tool.json b/galaxies/tool.json index 2237162e..b4adbfd3 100644 --- a/galaxies/tool.json +++ b/galaxies/tool.json @@ -1,7 +1,7 @@ { - "type" : "tool", - "name" : "Tool", - "description": "Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", - "version": 1, - "uuid": "9b8037f7-bc8f-4de1-a797-37266619bc0b" + "type": "tool", + "name": "Tool", + "description": "Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", + "version": 1, + "uuid": "9b8037f7-bc8f-4de1-a797-37266619bc0b" } diff --git a/jq_all_the_things.sh b/jq_all_the_things.sh new file mode 100755 index 00000000..e87dd4c7 --- /dev/null +++ b/jq_all_the_things.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e +set -x + +# Seeds sponge, from moreutils + +for dir in galaxies/*.json +do + cat ${dir} | jq . | sponge ${dir} +done + +cat schema.json | jq . | sponge schema.json diff --git a/schema.json b/schema.json new file mode 100644 index 00000000..73acaba6 --- /dev/null +++ b/schema.json @@ -0,0 +1,72 @@ +{ + "$schema": "http://json-schema.org/schema#", + "title": "Validator for misp-galaxies", + "id": "https://www.github.com/MISP/misp-galaxies/schema.json", + "type": "object", + "additionalProperties": false, + "properties": { + "description": { + "type": "string" + }, + "type": { + "type": "string" + }, + "version": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "uuid": { + "type": "string" + }, + "source": { + "type": "string" + }, + "values": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "description": { + "type": "string" + }, + "value": { + "type": "string" + }, + "type": { + "type": "string" + }, + "Possible Issues": { + "type": "string" + }, + "meta": { + "type": "object" + } + }, + "required": [ + "value" + ] + } + }, + "authors": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } + } + }, + "required": [ + "description", + "type", + "version", + "name", + "uuid", + "values", + "authors", + "source" + ] +} diff --git a/validate_all.sh b/validate_all.sh new file mode 100755 index 00000000..f39f8501 --- /dev/null +++ b/validate_all.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +set -e +set -x + +./jq_all_the_things.sh + +diffs=`git status --porcelain | wc -l` + +if ! [ $diffs -eq 0 ]; then + echo "Please make sure you run ./jq_all_the_things.sh before commiting." + exit 1 +fi + +for dir in galaxies/*.json +do + echo -n "${dir}: " + jsonschema -i ${dir} schema.json + echo '' +done + From 910398fe76531cc851f1614fce08c68361480cc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 13 Feb 2017 18:52:54 +0100 Subject: [PATCH 35/91] Fix validation, remove duplicate. --- clusters/exploit-kit.json | 472 ++++++++++++------------- clusters/microsoft-activity-group.json | 38 +- clusters/preventive-measure.json | 66 ++-- clusters/tds.json | 159 ++++----- clusters/threat-actor.json | 46 ++- clusters/tool.json | 149 ++++---- jq_all_the_things.sh | 2 +- validate_all.sh | 2 +- 8 files changed, 483 insertions(+), 451 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 006b21d3..102fcfbd 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -1,453 +1,447 @@ { - "values": [ - { "value": "Astrum", + "values": [ + { + "value": "Astrum", "description": "Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It's notable by its use of Steganography", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2014/09/astrum-ek.html", "http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/" ], - "synonyms": [ + "synonyms": [ "Stegano EK" ], - "status": "Unknown - Last Seen 2016-12-07" - } - } -, - { "value": "DealersChoice", + "status": "Unknown - Last Seen 2016-12-07" + } + }, + { + "value": "DealersChoice", "description": "DealersChoice is a Flash Player Exploit platform triggered by RTF", "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/" ], - "synonyms": [ + "synonyms": [ "Sednit RTF EK" ], - "status": "Active" - } - } -, - { "value": "DNSChanger", + "status": "Active" + } + }, + { + "value": "DNSChanger", "description": "DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html", "https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices" ], - "synonyms": [ + "synonyms": [ "RouterEK" ], - "status": "Active" - } - } -, - { "value": "Empire", + "status": "Active" + } + }, + { + "value": "Empire", "description": "The Empire Pack is a variation of RIG operated by a load seller. It's being fed by many traffic actors", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html" ], - "synonyms": [ + "synonyms": [ "RIG-E" - ] - , - "status": "Unknown - Last seen: 2016-12-29" - } - } -, - { "value": "Hunter", + ], + "status": "Unknown - Last seen: 2016-12-29" + } + }, + { + "value": "Hunter", "description": "Hunter EK is an evolution of 3Ros EK", "meta": { "refs": [ "https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers" ], - "synonyms": [ + "synonyms": [ "3ROS Exploit Kit" - ] - , - "status": "Active" - } - } -, - { "value": "Kaixin", + ], + "status": "Active" + } + }, + { + "value": "Kaixin", "description": "Kaixin is an exploit kit mainly seen behind compromised website in Asia", "meta": { "refs": [ "http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/", "http://www.kahusecurity.com/2012/new-chinese-exploit-pack/" ], - "synonyms": [ + "synonyms": [ "CK vip" - ] , - "status": "Active" - } - } -, - { "value": "Magnitude", + ], + "status": "Active" + } + }, + { + "value": "Magnitude", "description": "Magnitude EK", "meta": { "refs": [ - "http://malware.dontneedcoffee.com/2013/10/Magnitude.html", + "http://malware.dontneedcoffee.com/2013/10/Magnitude.html", "https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Peek-Into-the-Lion-s-Den-%E2%80%93-The-Magnitude--aka-PopAds--Exploit-Kit/", "http://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html" ], - "synonyms": [ + "synonyms": [ "Popads EK", "TopExp" ], - "status": "Active" - } - } -, - { "value": "MWI", + "status": "Active" + } + }, + { + "value": "MWI", "description": "Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it's most often connected to semi-targeted attacks", "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html", "https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf" ], - "status": "Active" - } - } -, - { "value": "Neutrino", + "status": "Active" + } + }, + { + "value": "Neutrino", "description": "Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html", "http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html" ], - "synonyms": [ + "synonyms": [ "Job314", "Neutrino Rebooted", "Neutrino-v" - ] - , - "status": "Active" - } - } -, - { "value": "RIG", + ], + "status": "Active" + } + }, + { + "value": "RIG", "description": "RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by \"vip\" customers and when RIG 3 was still in use.", "meta": { "refs": [ "http://www.kahusecurity.com/2014/rig-exploit-pack/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Reloaded---Examining-the-Architecture-of-RIG-Exploit-Kit-3-0/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/", - "http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html" + "https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/", + "http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html" ], - "synonyms": [ + "synonyms": [ "RIG 3", - "RIG-v", - "RIG 4", - "Meadgive" + "RIG-v", + "RIG 4", + "Meadgive" ], - "status": "Active" - } - } -, - { "value": "Sednit EK", + "status": "Active" + } + }, + { + "value": "Sednit EK", "description": "Sednit EK is the exploit kit used by APT28", "meta": { "refs": [ "http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/" ], - "status": "Active" - } - } -, - { "value": "Bizarro Sundown", + "status": "Active" + } + }, + { + "value": "Bizarro Sundown", "description": "Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features", "meta": { "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/", "https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/" ], - "synonyms": [ + "synonyms": [ "Sundown-b" ], - "status": "Active" - } - } -, - { "value": "GreenFlash Sundown", + "status": "Active" + } + }, + { + "value": "GreenFlash Sundown", "description": "GreenFlash Sundown is a variation of Bizarro Sundown without landing", "meta": { "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/" ], - "synonyms": [ + "synonyms": [ "Sundown-GF" ], - "status": "Active" - } - } -, - { "value": "Sundown", + "status": "Active" + } + }, + { + "value": "Sundown", "description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html", "https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road" ], - "synonyms": [ + "synonyms": [ "Beps", "Xer", "Beta" ], - "status": "Active", - "colour": "#C03701" - } - } -, - { "value": "Angler", + "status": "Active", + "colour": "#C03701" + } + }, + { + "value": "Angler", "description": "The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical \"indexm\" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the \"standard\" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC", "meta": { "refs": [ "https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/", "http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html", - "http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html" + "http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html" ], - "synonyms": [ + "synonyms": [ "XXX", "AEK", "Axpergle" ], - "status": "Retired - Last seen: 2016-06-07" - } - } -, - { "value": "Archie", + "status": "Retired - Last seen: 2016-06-07" + } + }, + { + "value": "Archie", "description": "Archie EK", "meta": { "refs": [ "https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit" ], - "status": "Retired" - } - } -, - { "value": "BlackHole", + "status": "Retired" + } + }, + { + "value": "BlackHole", "description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch's arrest (all activity since then is anecdotal and based on an old leak)", "meta": { "refs": [ "https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/", "https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/" ], - "synonyms": [ + "synonyms": [ "BHEK" ], - "status": "Retired - Last seen: 2013-10-07" - } - } -, - { "value": "Bleeding Life", + "status": "Retired - Last seen: 2013-10-07" + } + }, + { + "value": "Bleeding Life", "description": "Bleeding Life is an exploit kit that became open source with its version 2", "meta": { "refs": [ "http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/", "http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html" ], - "synonyms": [ + "synonyms": [ "BL", "BL2" - ] - , - "status": "Retired" - } - } -, - { "value": "Cool", + ], + "status": "Retired" + } + }, + { + "value": "Cool", "description": "The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2012/10/newcoolek.html", "http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/" ], - "synonyms": [ + "synonyms": [ "CEK", - "Styxy Cool" + "Styxy Cool" ], - "status": "Retired - Last seen: 2013-10-07" - } - } -, - { "value": "Fiesta", + "status": "Retired - Last seen: 2013-10-07" + } + }, + { + "value": "Fiesta", "description": "Fiesta Exploit Kit", "meta": { "refs": [ "http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an", "http://www.kahusecurity.com/2011/neosploit-is-back/" ], - "synonyms": [ + "synonyms": [ "NeoSploit", "Fiexp" - ] - , - "status": "Retired - Last Seen: beginning of 2015-07" - } - } -, - { "value": "FlashPack", + ], + "status": "Retired - Last Seen: beginning of 2015-07" + } + }, + { + "value": "FlashPack", "description": "FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html", "http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html" ], - "synonyms": [ + "synonyms": [ "FlashEK", "SafePack", "CritXPack", "Vintage Pack" - ] - , - "status": "Retired - Last seen: middle of 2015-04" - } - } -, - { "value": "GrandSoft", + ], + "status": "Retired - Last seen: middle of 2015-04" + } + }, + { + "value": "GrandSoft", "description": "GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html", "http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html", - "https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/" + "https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/" ], - "synonyms": [ + "synonyms": [ "StampEK", "SofosFO" - ] , - "status": "Retired - Last seen: 2014-03" - } - } -, - { "value": "HanJuan", + ], + "status": "Retired - Last seen: 2014-03" + } + }, + { + "value": "HanJuan", "description": "Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015", "meta": { "refs": [ - "http://www.malwaresigs.com/2013/10/14/unknown-ek/", - "https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/", + "http://www.malwaresigs.com/2013/10/14/unknown-ek/", + "https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/", "http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-exploit-kit-in-cve-2015-0313-attack", "https://twitter.com/kafeine/status/562575744501428226" ], - "status": "Retired - Last seen: 2015-07" - } - } -, - { "value": "Himan", + "status": "Retired - Last seen: 2015-07" + } + }, + { + "value": "Himan", "description": "Himan Exploit Kit", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2013/10/HiMan.html" ], - "synonyms": [ + "synonyms": [ "High Load" ], - "status": "Retired - Last seen: 2014-04" - } - } -, - { "value": "Impact", + "status": "Retired - Last seen: 2014-04" + } + }, + { + "value": "Impact", "description": "Impact EK", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html" - ] - , - "status": "Retired" - } - } -, - { "value": "Infinity", + ], + "status": "Retired" + } + }, + { + "value": "Infinity", "description": "Infinity is an evolution of Redkit", "meta": { "refs": [ "http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html", - "http://www.kahusecurity.com/2014/the-resurrection-of-redkit/" + "http://www.kahusecurity.com/2014/the-resurrection-of-redkit/" ], - "synonyms": [ + "synonyms": [ "Redkit v2.0", "Goon" ], - "status": "Retired - Last seen: 2014-07" - } - } -, - { "value": "Lightsout", + "status": "Retired - Last seen: 2014-07" + } + }, + { + "value": "Lightsout", "description": "Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex", "meta": { "refs": [ "http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html", "http://blog.talosintel.com/2014/05/continued-analysis-of-lightsout-exploit.html", - "http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html" + "http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html" ], - "status": "Unknown - Last seen: 2014-03" - } - } -, - { "value": "Niteris", + "status": "Unknown - Last seen: 2014-03" + } + }, + { + "value": "Niteris", "description": "Niteris was used mainly to target Russian.", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2014/06/cottoncastle.html", "http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html" ], - "synonyms": [ + "synonyms": [ "CottonCastle" ], - "status": "Unknown - Last seen: 2015-11" - } - } -, - { "value": "Nuclear", + "status": "Unknown - Last seen: 2015-11" + } + }, + { + "value": "Nuclear", "description": "The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack", "meta": { "refs": [ "http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/" ], - "synonyms": [ + "synonyms": [ "NEK", "Nuclear Pack", - "Spartan", - "Neclu" - ] , - "status": "Retired - Last seen: 2015-04-30" - } - } -, - { "value": "Phoenix", + "Spartan", + "Neclu" + ], + "status": "Retired - Last seen: 2015-04-30" + } + }, + { + "value": "Phoenix", "description": "Phoenix Exploit Kit", "meta": { "refs": [ "http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/now-exploiting-phoenix-exploit-kit-version-2-5/" ], - "synonyms": [ + "synonyms": [ "PEK" ], - "status": "Retired" - } - } -, - { "value": "Private Exploit Pack", + "status": "Retired" + } + }, + { + "value": "Private Exploit Pack", "description": "Private Exploit Pack", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html", "http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html" ], - "synonyms": [ + "synonyms": [ "PEP" ], - "status": "Retired" - } - } -, - { "value": "Redkit", + "status": "Retired" + } + }, + { + "value": "Redkit", "description": "Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer's traffic", "meta": { "refs": [ @@ -455,35 +449,35 @@ "http://malware.dontneedcoffee.com/2012/05/inside-redkit.html", "https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/" ], - "status": "Retired" - } - } -, - { "value": "Sakura", + "status": "Retired" + } + }, + { + "value": "Sakura", "description": "Description Here", "meta": { "refs": [ "http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html" ], - "status": "Retired - Last seen: 2013-09" - } - } -, - { "value": "Sweet-Orange", + "status": "Retired - Last seen: 2013-09" + } + }, + { + "value": "Sweet-Orange", "description": "Sweet Orange", "meta": { "refs": [ "http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html" ], - "synonyms": [ + "synonyms": [ "SWO", "Anogre" ], - "status": "Retired - Last seen: 2015-04-05" - } - } -, - { "value": "Styx", + "status": "Retired - Last seen: 2015-04-05" + } + }, + { + "value": "Styx", "description": "Styx Exploit Kit", "meta": { "refs": [ @@ -491,11 +485,11 @@ "https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/", "http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html" ], - "status":"Retired - Last seen: 2014-06" - } - } -, - { "value": "Unknown", + "status": "Retired - Last seen: 2014-06" + } + }, + { + "value": "Unknown", "description": "Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.", "meta": { "refs": [ @@ -503,9 +497,9 @@ "https://twitter.com/node5", "https://twitter.com/kahusecurity" ] - } + } } -], + ], "version": 3, "uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01", "description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 116c4e13..e96d599b 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -4,21 +4,27 @@ "value": "PROMETHIUM", "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", "meta": { - "refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"] - } + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + ] + } }, { "value": "NEODYMIUM", "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", "meta": { - "refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"] - } + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + ] + } }, { "value": "TERBIUM", "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", - "meta" : { - "refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"] + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" + ] } }, { @@ -36,12 +42,12 @@ "Group-4127", "Sofacy", "Grey-Cloud" - ], + ], "country": "RU", "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/", "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf", - "https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/" + "https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/" ] } }, @@ -74,14 +80,19 @@ "value": "BARIUM", "description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.", "meta": { - "refs": ["https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"] + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/" + ] } }, { - "value": "LEAD", - "description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD’s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD’s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.", - "meta": { - "refs": ["https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"] } + "value": "LEAD", + "description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD’s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD’s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/" + ] + } } ], "name": "Microsoft Activity Group actor", @@ -94,4 +105,3 @@ "uuid": "28b5e55d-acba-4748-a79d-0afa3512689a", "version": 2 } - diff --git a/clusters/preventive-measure.json b/clusters/preventive-measure.json index 491a24aa..82706e41 100644 --- a/clusters/preventive-measure.json +++ b/clusters/preventive-measure.json @@ -6,8 +6,8 @@ "http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7." ], "Complexity": "Medium", - "Effectiveness": "High", - "Impact": "Low", + "Effectiveness": "High", + "Impact": "Low", "Type": "Recovery" }, "value": "Backup and Restore Process", @@ -20,8 +20,8 @@ "https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter" ], "Complexity": "Low", - "Effectiveness": "High", - "Impact": "Low", + "Effectiveness": "High", + "Impact": "Low", "Type": "GPO" }, "value": "Block Macros", @@ -33,8 +33,8 @@ "http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html" ], "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Medium", + "Effectiveness": "Medium", + "Impact": "Medium", "Type": "GPO" }, "value": "Disable WSH", @@ -44,8 +44,8 @@ { "meta": { "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Low", + "Effectiveness": "Medium", + "Impact": "Low", "Type": "Mail Gateway" }, "value": "Filter Attachments Level 1", @@ -54,8 +54,8 @@ { "meta": { "Complexity": "Low", - "Effectiveness": "High", - "Impact": "High", + "Effectiveness": "High", + "Impact": "High", "Type": "Mail Gateway" }, "value": "Filter Attachments Level 2", @@ -65,12 +65,12 @@ { "meta": { "refs": [ - "http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/", + "http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/", "http://www.thirdtier.net/ransomware-prevention-kit/" ], "Complexity": "Medium", - "Effectiveness": "Medium", - "Impact": "Medium", + "Effectiveness": "Medium", + "Impact": "Medium", "Type": "GPO" }, "value": "Restrict program execution", @@ -83,8 +83,8 @@ "http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm" ], "Complexity": "Low", - "Effectiveness": "Low", - "Impact": "Low", + "Effectiveness": "Low", + "Impact": "Low", "Type": "User Assistence" }, "value": "Show File Extensions", @@ -96,8 +96,8 @@ "https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx" ], "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Low", + "Effectiveness": "Medium", + "Impact": "Low", "Type": "GPO" }, "value": "Enforce UAC Prompt", @@ -107,8 +107,8 @@ { "meta": { "Complexity": "Medium", - "Effectiveness": "Medium", - "Impact": "Medium", + "Effectiveness": "Medium", + "Impact": "Medium", "Type": "Best Practice" }, "value": "Remove Admin Privileges", @@ -118,8 +118,8 @@ { "meta": { "Complexity": "Medium", - "Effectiveness": "Low", - "Impact": "Low", + "Effectiveness": "Low", + "Impact": "Low", "Type": "Best Practice" }, "value": "Restrict Workstation Communication", @@ -128,7 +128,7 @@ { "meta": { "Complexity": "Medium", - "Effectiveness": "High", + "Effectiveness": "High", "Type": "Advanced Malware Protection" }, "value": "Sandboxing Email Input", @@ -137,7 +137,7 @@ { "meta": { "Complexity": "Medium", - "Effectiveness": "Medium", + "Effectiveness": "Medium", "Type": "3rd Party Tools" }, "value": "Execution Prevention", @@ -149,8 +149,8 @@ "https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/" ], "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Medium", + "Effectiveness": "Medium", + "Impact": "Medium", "Type": "GPO" }, "value": "Change Default \"Open With\" to Notepad", @@ -163,8 +163,8 @@ "http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm" ], "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Low", + "Effectiveness": "Medium", + "Impact": "Low", "Type": "Monitoring" }, "value": "File Screening", @@ -177,8 +177,8 @@ "http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx" ], "Complexity": "Medium", - "Effectiveness": "Medium", - "Impact": "Medium", + "Effectiveness": "Medium", + "Impact": "Medium", "Type": "GPO" }, "value": "Restrict program execution #2", @@ -192,8 +192,8 @@ "http://windowsitpro.com/security/control-emet-group-policy" ], "Complexity": "Medium", - "Effectiveness": "Medium", - "Impact": "Low", + "Effectiveness": "Medium", + "Impact": "Low", "Type": "GPO" }, "value": "EMET", @@ -205,8 +205,8 @@ "https://twitter.com/JohnLaTwC/status/799792296883388416" ], "Complexity": "Medium", - "Effectiveness": "Low", - "Impact": "Low", + "Effectiveness": "Low", + "Impact": "Low", "Type": "3rd Party Tools" }, "value": "Sysmon", diff --git a/clusters/tds.json b/clusters/tds.json index 4fcb9354..75759a75 100755 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -1,79 +1,80 @@ -{ - "values": [ - { "value": "Keitaro", - "description": "Keitaro TDS is among the mostly used TDS in drive by infection chains", - "meta": { - "refs": [ - "https://keitarotds.com/" - ] - }, - "type":"Commercial" - } -, - { "value": "Sutra", - "description": "Sutra TDS was dominant from 2012 till 2015", - "meta": { - "refs": [ - "http://kytoon.com/sutra-tds.html" - ], - "type":"Commercial" - } - } -, - { "value": "SimpleTDS", - "description": "SimpleTDS is a basic open source TDS", - "meta": { - "refs": [ - "https://sourceforge.net/projects/simpletds/" - ], - "synonyms": [ - "Stds" - ], - "type":"OpenSource" - } - } -, - { "value": "BossTDS", - "description": "BossTDS", - "meta": { - "refs": [ - "http://bosstds.com/" - ], - "type":"Commercial" - } - } -, - { "value": "BlackHat TDS", - "description": "BlackHat TDS is sold underground.", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html" - ], - "type":"Underground" - } - } -, - { "value": "Futuristic TDS", - "description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer", - "meta": { - "type":"Underground" - } - } -, - { "value": "Orchid TDS", - "description": "Orchid TDS was sold underground. Rare usage", - "meta": { - "type":"Underground" - } - } - ], - "version": 1, - "uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01", - "description": "TDS is a list of Traffic Direction System used by adversaries", - "authors": [ - "Kafeine" - ], - "source": "MISP Project", - "type": "tds", - "name": "TDS" -} +{ + "values": [ + { + "value": "Keitaro", + "description": "Keitaro TDS is among the mostly used TDS in drive by infection chains", + "meta": { + "refs": [ + "https://keitarotds.com/" + ] + }, + "type": "Commercial" + }, + { + "value": "Sutra", + "description": "Sutra TDS was dominant from 2012 till 2015", + "meta": { + "refs": [ + "http://kytoon.com/sutra-tds.html" + ], + "type": "Commercial" + } + }, + { + "value": "SimpleTDS", + "description": "SimpleTDS is a basic open source TDS", + "meta": { + "refs": [ + "https://sourceforge.net/projects/simpletds/" + ], + "synonyms": [ + "Stds" + ], + "type": "OpenSource" + } + }, + { + "value": "BossTDS", + "description": "BossTDS", + "meta": { + "refs": [ + "http://bosstds.com/" + ], + "type": "Commercial" + } + }, + { + "value": "BlackHat TDS", + "description": "BlackHat TDS is sold underground.", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html" + ], + "type": "Underground" + } + }, + { + "value": "Futuristic TDS", + "description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer", + "meta": { + "type": "Underground" + } + }, + { + "value": "Orchid TDS", + "description": "Orchid TDS was sold underground. Rare usage", + "meta": { + "type": "Underground" + } + } + ], + "version": 1, + "uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01", + "description": "TDS is a list of Traffic Direction System used by adversaries", + "authors": [ + "Kafeine" + ], + "source": "MISP Project", + "type": "tds", + "name": "TDS" +} diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 82f390bc..15096164 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -435,7 +435,7 @@ "Motive": "Espionage" }, "value": "Anchor Panda", - "Description": "PLA Navy" + "description": "PLA Navy" }, { "meta": { @@ -990,24 +990,28 @@ "description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro." }, { - "refs": [ - "https://citizenlab.org/2016/05/stealth-falcon/" - ], - "country": "UAE", + "meta": { + "refs": [ + "https://citizenlab.org/2016/05/stealth-falcon/" + ], + "synonyms": [ + "FruityArmor" + ], + "country": "UAE" + }, "value": "Stealth Falcon", - "description": "Group targeting Emirati journalists, activists, and dissidents.", - "synonyms": [ - "FruityArmor" - ] + "description": "Group targeting Emirati journalists, activists, and dissidents." }, { - "synonyms": [ - "Operation Daybreak", - "Operation Erebus" - ], - "refs": [ - "https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/" - ], + "meta": { + "synonyms": [ + "Operation Daybreak", + "Operation Erebus" + ], + "refs": [ + "https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/" + ] + }, "value": "ScarCruft", "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer." }, @@ -1356,14 +1360,18 @@ "description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame", "meta": { "country": "US", - "refs": ["https://en.wikipedia.org/wiki/Equation_Group"] + "refs": [ + "https://en.wikipedia.org/wiki/Equation_Group" + ] } }, { "value": "Greenbug", "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", "meta": { - "refs": ["https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"] + "refs": [ + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" + ] } } ], @@ -1379,5 +1387,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 13 + "version": 14 } diff --git a/clusters/tool.json b/clusters/tool.json index beb3906a..ed0187ed 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -48,23 +48,13 @@ "value": "ZeGhost" }, { - "value": "Backdoor.Dripion", - "description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.", + "value": "Elise Backdoor", "meta": { - "refs": [ - "http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan" - ], "synonyms": [ - "Dripion" + "Elise" ] } }, - { - "value": "Elise Backdoor", - "synonyms": [ - "Elise" - ] - }, { "value": "Trojan.Laziok", "meta": { @@ -104,7 +94,7 @@ }, { "value": "Lost Door RAT", - "descriptions": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.", + "description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.", "meta": { "synonyms": [ "LostDoor RAT" @@ -210,8 +200,13 @@ "value": "Wipbot", "description": "Waterbug is the name given to the actors who use the malware tools Trojan.Wipbot (also known as Tavdig and Epic Turla)", "meta": { - "synonyms": ["Tavdig", "Epic Turla"], - "refs": ["https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf"] + "synonyms": [ + "Tavdig", + "Epic Turla" + ], + "refs": [ + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" + ] } }, { @@ -440,9 +435,14 @@ "value": "Regin", "description": "Regin (also known as Prax or WarriorPride) is a sophisticated malware toolkit revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download including malware discovered at Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but that some of the earliest samples date from 2003. The name Regin is first found on the VirusTotal website on 9 March 2011.", "meta": { - "refs": ["https://en.wikipedia.org/wiki/Regin_(malware)"], - "synonyms": ["Prax","WarriorPride"] - } + "refs": [ + "https://en.wikipedia.org/wiki/Regin_(malware)" + ], + "synonyms": [ + "Prax", + "WarriorPride" + ] + } }, { "value": "Duqu" @@ -925,9 +925,11 @@ { "value": "Odinaff", "description": "Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.", - "refs": [ - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" - ] + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" + ] + } }, { "value": "Hworm", @@ -1167,13 +1169,13 @@ }, { "value": "DownRage", - "synonyms": [ - "Carberplike" - ], "meta": { "refs": [ "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", "https://twitter.com/Timo_Steffens/status/814781584536719360" + ], + "synonyms": [ + "Carberplike" ] } }, @@ -1247,61 +1249,78 @@ "value": "MM Core" }, { - "meta": { - "refs": ["https://en.wikipedia.org/wiki/Shamoon"] - }, - "description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]", - "value": "Shamoon" - }, - { - "value": "GhostAdmin", - "description": "According to MalwareHunterTeam and other researchers that have looked at the malware's source code, GhostAdmin seems to be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.", - "meta": { - "refs": ["https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/"] - } + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Shamoon" + ] + }, + "description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]", + "value": "Shamoon" }, { - "value": " EyePyramid Malware", - "description": "Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)", - "meta": { - "refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/"], - "country": "IT" - } + "value": "GhostAdmin", + "description": "According to MalwareHunterTeam and other researchers that have looked at the malware's source code, GhostAdmin seems to be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/" + ] + } }, { - "value": "LuminosityLink", - "description": "LuminosityLink is a malware family costing $40 that purports to be a system administration utility", - "meta": { - "refs": ["http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/"] - } + "value": " EyePyramid Malware", + "description": "Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/" + ], + "country": "IT" + } }, { - "value": "Flokibot", - "description": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.", - "meta": { - "refs": ["https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/"], - "synonyms": ["Floki Bot"] - } + "value": "LuminosityLink", + "description": "LuminosityLink is a malware family costing $40 that purports to be a system administration utility", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/" + ] + } }, { - "value": "ZeroT", - "description": "Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.", - "meta": { - "refs": ["https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"] - } + "value": "Flokibot", + "description": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.", + "meta": { + "refs": [ + "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/" + ], + "synonyms": [ + "Floki Bot" + ] + } }, { - "value": "StreamEx", - "description": "Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples ‘stream’, combined with the dropper functionality to append ‘ex’ to the DLL file name. The StreamEx family has the ability to access and modify the user’s file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild. ", - "meta": { - "refs": ["https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"] - } + "value": "ZeroT", + "description": "Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + ] + } + }, + { + "value": "StreamEx", + "description": "Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples ‘stream’, combined with the dropper functionality to append ‘ex’ to the DLL file name. The StreamEx family has the ability to access and modify the user’s file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild. ", + "meta": { + "refs": [ + "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" + ] + } } ], - "version": 19, + "version": 21, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", - "author": [ + "authors": [ "Alexandre Dulaunoy", "Florian Roth", "Timo Steffens", diff --git a/jq_all_the_things.sh b/jq_all_the_things.sh index e87dd4c7..09f1f016 100755 --- a/jq_all_the_things.sh +++ b/jq_all_the_things.sh @@ -5,7 +5,7 @@ set -x # Seeds sponge, from moreutils -for dir in galaxies/*.json +for dir in clusters/*.json do cat ${dir} | jq . | sponge ${dir} done diff --git a/validate_all.sh b/validate_all.sh index f39f8501..129269a4 100755 --- a/validate_all.sh +++ b/validate_all.sh @@ -12,7 +12,7 @@ if ! [ $diffs -eq 0 ]; then exit 1 fi -for dir in galaxies/*.json +for dir in clusters/*.json do echo -n "${dir}: " jsonschema -i ${dir} schema.json From 9bf4da3a7ae3de288edc3be76029b0f7618c3031 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 14 Feb 2017 10:19:20 +0100 Subject: [PATCH 36/91] Add validator for galaxies --- jq_all_the_things.sh | 8 +++++++- schema.json => schema_clusters.json | 0 schema_galaxies.json | 31 +++++++++++++++++++++++++++++ validate_all.sh | 9 ++++++++- 4 files changed, 46 insertions(+), 2 deletions(-) rename schema.json => schema_clusters.json (100%) create mode 100644 schema_galaxies.json diff --git a/jq_all_the_things.sh b/jq_all_the_things.sh index 09f1f016..16e241ef 100755 --- a/jq_all_the_things.sh +++ b/jq_all_the_things.sh @@ -10,4 +10,10 @@ do cat ${dir} | jq . | sponge ${dir} done -cat schema.json | jq . | sponge schema.json +for dir in galaxies/*.json +do + cat ${dir} | jq . | sponge ${dir} +done + +cat schema_clusters.json | jq . | sponge schema_clusters.json +cat schema_galaxies.json | jq . | sponge schema_galaxies.json diff --git a/schema.json b/schema_clusters.json similarity index 100% rename from schema.json rename to schema_clusters.json diff --git a/schema_galaxies.json b/schema_galaxies.json new file mode 100644 index 00000000..5f4a6293 --- /dev/null +++ b/schema_galaxies.json @@ -0,0 +1,31 @@ +{ + "$schema": "http://json-schema.org/schema#", + "title": "Validator for misp-galaxies", + "id": "https://www.github.com/MISP/misp-galaxies/schema.json", + "type": "object", + "additionalProperties": false, + "properties": { + "description": { + "type": "string" + }, + "type": { + "type": "string" + }, + "version": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "uuid": { + "type": "string" + } + }, + "required": [ + "description", + "type", + "version", + "name", + "uuid" + ] +} diff --git a/validate_all.sh b/validate_all.sh index 129269a4..bcf06407 100755 --- a/validate_all.sh +++ b/validate_all.sh @@ -15,7 +15,14 @@ fi for dir in clusters/*.json do echo -n "${dir}: " - jsonschema -i ${dir} schema.json + jsonschema -i ${dir} schema_clusters.json + echo '' +done + +for dir in galaxies/*.json +do + echo -n "${dir}: " + jsonschema -i ${dir} schema_galaxies.json echo '' done From 7db66e05dd22faee44d2c2e3d0b72903c4336e44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 14 Feb 2017 11:34:59 +0100 Subject: [PATCH 37/91] Strict schema, update clusters accordingly --- clusters/preventive-measure.json | 162 +++++++++++++++---------------- clusters/tds.json | 8 +- clusters/threat-actor.json | 12 +-- clusters/tool.json | 6 +- schema_clusters.json | 59 +++++++++-- 5 files changed, 146 insertions(+), 101 deletions(-) diff --git a/clusters/preventive-measure.json b/clusters/preventive-measure.json index 82706e41..a9f9089d 100644 --- a/clusters/preventive-measure.json +++ b/clusters/preventive-measure.json @@ -5,10 +5,10 @@ "refs": [ "http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7." ], - "Complexity": "Medium", - "Effectiveness": "High", - "Impact": "Low", - "Type": "Recovery" + "complexity": "Medium", + "effectiveness": "High", + "impact": "Low", + "type": "Recovery" }, "value": "Backup and Restore Process", "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore" @@ -19,10 +19,10 @@ "https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US", "https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter" ], - "Complexity": "Low", - "Effectiveness": "High", - "Impact": "Low", - "Type": "GPO" + "complexity": "Low", + "effectiveness": "High", + "impact": "Low", + "type": "GPO" }, "value": "Block Macros", "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros" @@ -32,35 +32,35 @@ "refs": [ "http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html" ], - "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Medium", - "Type": "GPO" + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Medium", + "type": "GPO", + "possible_issues": "Administrative VBS scripts on Workstations" }, "value": "Disable WSH", - "description": "Disable Windows Script Host", - "Possible Issues": "Administrative VBS scripts on Workstations" + "description": "Disable Windows Script Host" }, { "meta": { - "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Low", - "Type": "Mail Gateway" + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Low", + "type": "Mail Gateway" }, "value": "Filter Attachments Level 1", "description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub" }, { "meta": { - "Complexity": "Low", - "Effectiveness": "High", - "Impact": "High", - "Type": "Mail Gateway" + "complexity": "Low", + "effectiveness": "High", + "impact": "High", + "type": "Mail Gateway", + "possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) " }, "value": "Filter Attachments Level 2", - "description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm", - "Possible Issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) " + "description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm" }, { "meta": { @@ -68,24 +68,24 @@ "http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/", "http://www.thirdtier.net/ransomware-prevention-kit/" ], - "Complexity": "Medium", - "Effectiveness": "Medium", - "Impact": "Medium", - "Type": "GPO" + "complexity": "Medium", + "effectiveness": "Medium", + "impact": "Medium", + "type": "GPO", + "possible_issues": "Web embedded software installers" }, "value": "Restrict program execution", - "description": "Block all program executions from the %LocalAppData% and %AppData% folder", - "Possible Issues": "Web embedded software installers" + "description": "Block all program executions from the %LocalAppData% and %AppData% folder" }, { "meta": { "refs": [ "http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm" ], - "Complexity": "Low", - "Effectiveness": "Low", - "Impact": "Low", - "Type": "User Assistence" + "complexity": "Low", + "effectiveness": "Low", + "impact": "Low", + "type": "User Assistence" }, "value": "Show File Extensions", "description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")" @@ -95,50 +95,50 @@ "refs": [ "https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx" ], - "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Low", - "Type": "GPO" + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Low", + "type": "GPO", + "possible_issues": "administrator resentment" }, "value": "Enforce UAC Prompt", - "description": "Enforce administrative users to confirm an action that requires elevated rights", - "Possible Issues": "administrator resentment" + "description": "Enforce administrative users to confirm an action that requires elevated rights" }, { "meta": { - "Complexity": "Medium", - "Effectiveness": "Medium", - "Impact": "Medium", - "Type": "Best Practice" + "complexity": "Medium", + "effectiveness": "Medium", + "impact": "Medium", + "type": "Best Practice", + "possible_issues": "igher administrative costs" }, "value": "Remove Admin Privileges", - "description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.", - "Possible Issues": "igher administrative costs" + "description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to." }, { "meta": { - "Complexity": "Medium", - "Effectiveness": "Low", - "Impact": "Low", - "Type": "Best Practice" + "complexity": "Medium", + "effectiveness": "Low", + "impact": "Low", + "type": "Best Practice" }, "value": "Restrict Workstation Communication", "description": "Activate the Windows Firewall to restrict workstation to workstation communication" }, { "meta": { - "Complexity": "Medium", - "Effectiveness": "High", - "Type": "Advanced Malware Protection" + "complexity": "Medium", + "effectiveness": "High", + "type": "Advanced Malware Protection" }, "value": "Sandboxing Email Input", "description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis" }, { "meta": { - "Complexity": "Medium", - "Effectiveness": "Medium", - "Type": "3rd Party Tools" + "complexity": "Medium", + "effectiveness": "Medium", + "type": "3rd Party Tools" }, "value": "Execution Prevention", "description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor" @@ -148,24 +148,24 @@ "refs": [ "https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/" ], - "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Medium", - "Type": "GPO" + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Medium", + "type": "GPO", + "possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts." }, "value": "Change Default \"Open With\" to Notepad", - "description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer", - "Possible Issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts." + "description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer" }, { "meta": { "refs": [ "http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm" ], - "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Low", - "Type": "Monitoring" + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Low", + "type": "Monitoring" }, "value": "File Screening", "description": "Server-side file screening with the help of File Server Resource Manager" @@ -176,14 +176,14 @@ "https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx", "http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx" ], - "Complexity": "Medium", - "Effectiveness": "Medium", - "Impact": "Medium", - "Type": "GPO" + "complexity": "Medium", + "effectiveness": "Medium", + "impact": "Medium", + "type": "GPO", + "possible_issues": "Configure & test extensively" }, "value": "Restrict program execution #2", - "description": "Block program executions (AppLocker)", - "Possible Issues": "Configure & test extensively" + "description": "Block program executions (AppLocker)" }, { "meta": { @@ -191,10 +191,10 @@ "www.microsoft.com/emet", "http://windowsitpro.com/security/control-emet-group-policy" ], - "Complexity": "Medium", - "Effectiveness": "Medium", - "Impact": "Low", - "Type": "GPO" + "complexity": "Medium", + "effectiveness": "Medium", + "impact": "Low", + "type": "GPO" }, "value": "EMET", "description": "Detect and block exploitation techniques" @@ -204,10 +204,10 @@ "refs": [ "https://twitter.com/JohnLaTwC/status/799792296883388416" ], - "Complexity": "Medium", - "Effectiveness": "Low", - "Impact": "Low", - "Type": "3rd Party Tools" + "complexity": "Medium", + "effectiveness": "Low", + "impact": "Low", + "type": "3rd Party Tools" }, "value": "Sysmon", "description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring" @@ -221,5 +221,5 @@ ], "description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.", "uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65", - "version": 1 + "version": 2 } diff --git a/clusters/tds.json b/clusters/tds.json index 75759a75..5cbf9963 100755 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -6,9 +6,9 @@ "meta": { "refs": [ "https://keitarotds.com/" - ] - }, - "type": "Commercial" + ], + "type": "Commercial" + } }, { "value": "Sutra", @@ -68,7 +68,7 @@ } } ], - "version": 1, + "version": 2, "uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01", "description": "TDS is a list of Traffic Direction System used by adversaries", "authors": [ diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 15096164..3197fee2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -432,7 +432,7 @@ "refs": [ "http://www.crowdstrike.com/blog/whois-anchor-panda/" ], - "Motive": "Espionage" + "motive": "Espionage" }, "value": "Anchor Panda", "description": "PLA Navy" @@ -451,7 +451,7 @@ }, { "meta": { - "synomyns": [ + "synonyms": [ "IceFog", "Dagger Panda" ], @@ -958,9 +958,9 @@ "country": "FR", "synonyms": [ "Animal Farm" - ], - "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007." - } + ] + }, + "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007." }, { "meta": { @@ -1387,5 +1387,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 14 + "version": 15 } diff --git a/clusters/tool.json b/clusters/tool.json index ed0187ed..3de63622 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1151,8 +1151,8 @@ }, { "value": "Trojan.Seaduke", + "description": "Trojan.Seaduke is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.", "meta": { - "description": "Trojan.Seaduke is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.", "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-031915-4935-99" ], @@ -1213,7 +1213,7 @@ }, { "meta": { - "derivated-from": [ + "derivated_from": [ "Shiz" ], "refs": [ @@ -1317,7 +1317,7 @@ } } ], - "version": 21, + "version": 22, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "authors": [ diff --git a/schema_clusters.json b/schema_clusters.json index 73acaba6..780bfe14 100644 --- a/schema_clusters.json +++ b/schema_clusters.json @@ -36,14 +36,59 @@ "value": { "type": "string" }, - "type": { - "type": "string" - }, - "Possible Issues": { - "type": "string" - }, "meta": { - "type": "object" + "type": "object", + "additionalProperties": false, + "properties": { + "refs": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } + }, + "synonyms": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } + }, + "derivated_from": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } + }, + "status": { + "type": "string" + }, + "country": { + "type": "string" + }, + "effectiveness": { + "type": "string" + }, + "complexity": { + "type": "string" + }, + "type": { + "type": "string" + }, + "impact": { + "type": "string" + }, + "motive": { + "type": "string" + }, + "colour": { + "type": "string" + }, + "possible_issues": { + "type": "string" + } + } } }, "required": [ From 644e429110e0771e107a726af246f159c7343951 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 20 Feb 2017 17:34:55 +0100 Subject: [PATCH 38/91] PupyRAT added --- clusters/tool.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 3de63622..99732f7c 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1315,9 +1315,18 @@ "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" ] } + }, + { + "value": "PupyRAT", + "description": "Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python.", + "meta": { + "refs": [ + "https://github.com/n1nj4sec/pupy" + ] + } } ], - "version": 22, + "version": 23, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "authors": [ From b75e9cf59da92028e60e7026eb506dd00ce40a42 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Thu, 23 Feb 2017 10:14:18 +0100 Subject: [PATCH 39/91] Gutemberg on first 10 --- clusters/tool.json | 251 +++++++++++++++++++++++++++++++-------------- 1 file changed, 173 insertions(+), 78 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 99732f7c..80f092b2 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1,83 +1,178 @@ { "values": [ - { - "value": "PlugX", - "description": "Malware" - }, - { - "value": "MSUpdater" - }, - { - "value": "Lazagne", - "description": "A password recovery tool regularly used by attackers" - }, - { - "value": "Poison Ivy", - "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", - "meta": { - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf" - ] - } - }, - { - "value": "SPIVY", - "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" - ] - } - }, - { - "value": "Torn RAT" - }, - { - "value": "OzoneRAT", - "meta": { - "refs": [ - "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" - ], - "synonyms": [ - "Ozone RAT", - "ozonercp" - ] - } - }, - { - "value": "ZeGhost" - }, - { - "value": "Elise Backdoor", - "meta": { - "synonyms": [ - "Elise" - ] - } - }, - { - "value": "Trojan.Laziok", - "meta": { - "synonyms": [ - "Laziok" - ], - "refs": [ - "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" - ] - }, - "description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer." - }, - { - "value": "Slempo", - "description": "Android-based malware", - "meta": { - "synonyms": [ - "GM-Bot", - "Acecard" - ] - } - }, - { + { + "value" : "PlugX", + "description" : "Malware", + "meta" : { + "refs" : [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx" + ], + "synonyms" : [ + "W32/Backdoor.FSZO-5117", + "Gen:Trojan.Heur.JP.juW@ayZZvMb", + "Trojan.Inject1.6386", + "Win32/Korplug.A", + "Trojan.Win32.Korplug", + "Backdoor/Win32.Plugx", + "Backdoor.Win32.Agent.dhwf", + "W32/Korplug.CH!tr" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "MSUpdater", + "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "meta" : { + "refs" : [ + "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "Lazagne", + "description" : "A password sthealing tool regularly used by attackers", + "meta" : { + "refs" : [ + "https://github.com/AlessandroZ/LaZagne" + ], + "category" : [ + "tool" + ] + } + }, + { + "value" : "Poison Ivy", + "description" : "Poison Ivy is a RAT which was freely available and first released in 2005.", + "meta" : { + "refs" : [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", + "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml" + ], + "synonyms" : [ + "Backdoor.Win32.PoisonIvy", + "Gen:Trojan.Heur.PT" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "SPIVY", + "description" : "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", + "meta" : { + "refs" : [ + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "Torn RAT", + "meta" : { + "refs" : [ + "https://www.crowdstrike.com/blog/whois-anchor-panda/" + ], + "synonyms" : [ + "Anchor Panda" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "OzoneRAT", + "meta" : { + "refs" : [ + "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" + ], + "synonyms" : [ + "Ozone RAT", + "ozonercp" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "ZeGhost", + "description" : "ZeGhots is a RAT which was freely available and first released in 2014.", + "meta" : { + "refs" : [ + "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW" + ], + "synonyms" : [ + "BackDoor-FBZT!52D84425CDF2", + "Trojan.Win32.Staser.ytq", + "Win32/Zegost.BW" + ], + "category" : [ + "rat" + ] + } + }, + { + "value" : "Elise Backdoor", + "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "meta" : { + "refs" : [ + "http://thehackernews.com/2015/08/elise-malware-hacking.html" + ], + "synonyms" : [ + "Elise" + ], + "category" : [ + "dropper", + "stealer" + ] + } + }, + { + "value" : "Trojan.Laziok", + "description" : "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.", + "meta" : { + "refs" : [ + "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" + ], + "synonyms" : [ + "Laziok" + ], + "category" : [ + "stealer", + "reco" + ] + } + }, + { + "value" : "Slempo", + "description" : "Android-based malware", + "meta" : { + "refs" : [ + "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/" + ], + "synonyms" : [ + "GM-Bot", + "SlemBunk", + "Bankosy", + "Acecard" + ], + "category" : [ + "spyware", + "android" + ] + } + }, + { "value": "PWOBot", "description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", "meta": { From c6ac4d847c382fca4fa1c39516e6aabd4bcc0d16 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 13:25:38 +0100 Subject: [PATCH 40/91] Remove EK and Ransomwares --- clusters/tool.json | 32 -------------------------------- 1 file changed, 32 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 80f092b2..2539cee1 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1068,29 +1068,12 @@ ] } }, - { - "value": "Angler EK", - "description": "Angler Exploit Kit is a hacking tool that is produced to search for Java and Flash Player vulnerabilities on the attacked PC and use them with the aim to distribute malware infections. Angler Exploit Kit commonly checks to see if the PC it is proliferating to has Java or Flash.", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit-fundamentals/", - "https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/" - ] - } - }, { "value": "Bedep" }, { "value": "Cromptui" }, - { - "value": "Cryptowall", - "description": "CryptoWall is a new and highly destructive variant of ransomware. Ransomware is malicious software (malware) that infects your computer and holds hostage something of value to you in exchange for money. Older ransomware used to block access to computers. Newer ransomware, such as CryptoWall, takes your data hostage." - }, - { - "value": "CTB-Locker" - }, { "value": "Dridex", "description": "Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.", @@ -1133,14 +1116,6 @@ ] } }, - { - "value": "Nuclear Pack", - "meta": { - "synonyms": [ - "Nuclear EK" - ] - } - }, { "value": "Palevo" }, @@ -1157,13 +1132,6 @@ ] } }, - { - "value": "Rig EK" - }, - { - "value": "Teslacrypt" - }, - { "value": "Upatre", "description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. " }, From 796382d4ab2eb5e3795193a4c5da4b5841d65f87 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 13:39:53 +0100 Subject: [PATCH 41/91] Remove Lstudio (group using elise) , add info to PWOBOT --- clusters/tool.json | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 2539cee1..fa69da77 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -177,13 +177,23 @@ "description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", "meta": { "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" + ], + "synonyms" : [ + "PWOLauncher", + "PWOHTTPD", + "PWOKeyLogger", + "PWOMiner", + "PWOPyExec", + "PWOQuery" + ], + "category" : [ + "dropper", + "coinminer", + "spyware" ] } }, - { - "value": "Lstudio" - }, { "value": "Joy RAT" }, From 0513668fcfa881fec3718ac84ed40b5bc99e384b Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 13:46:12 +0100 Subject: [PATCH 42/91] =?UTF-8?q?Remove=20JOYRat=20->=20team=20->=20https:?= =?UTF-8?q?//www.crowdstrike.com/blog/whois-numbered-panda/=C2=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusters/tool.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index fa69da77..cb1687ab 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -194,9 +194,6 @@ ] } }, - { - "value": "Joy RAT" - }, { "value": "Lost Door RAT", "description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.", From bb088f97d1f5d5c2a60df21584127af71381c706 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 13:56:33 +0100 Subject: [PATCH 43/91] =?UTF-8?q?Update=C2=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusters/tool.json | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index cb1687ab..7ff7bb7b 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -199,10 +199,14 @@ "description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.", "meta": { "synonyms": [ - "LostDoor RAT" + "LostDoor RAT", + "BKDR_LODORAT" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" + ], + "category": [ + "rat" ] } }, @@ -210,10 +214,14 @@ "value": "njRAT", "meta": { "synonyms": [ - "Bladabindi" + "Bladabindi", + "Jorik" ], "refs": [ "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" + ], + "category": [ + "rat" ] } }, @@ -221,10 +229,14 @@ "value": "NanoCoreRAT", "meta": { "synonyms": [ - "NanoCore" + "NanoCore", + "Nancrat", + "Zurten", + "Atros2.CKPN" ], "refs": [ - "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter" + "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter", + "https://nanocore.io/" ] } }, From f496c34fda623a2949e3f16edc2244b9d14e942c Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 13:57:33 +0100 Subject: [PATCH 44/91] =?UTF-8?q?generic=20plugx=20names=C2=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusters/tool.json | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 7ff7bb7b..7bb01ecf 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8,14 +8,11 @@ "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx" ], "synonyms" : [ - "W32/Backdoor.FSZO-5117", - "Gen:Trojan.Heur.JP.juW@ayZZvMb", + "Backdoor.FSZO-5117", + "Trojan.Heur.JP.juW@ayZZvMb", "Trojan.Inject1.6386", - "Win32/Korplug.A", - "Trojan.Win32.Korplug", - "Backdoor/Win32.Plugx", - "Backdoor.Win32.Agent.dhwf", - "W32/Korplug.CH!tr" + "Korplug", + "Agent.dhwf" ], "category" : [ "rat" From c1848b1a3a82a440429318de40b93e865405adb3 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 13:59:14 +0100 Subject: [PATCH 45/91] =?UTF-8?q?json=20issue=C2=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusters/tool.json | 1 + 1 file changed, 1 insertion(+) diff --git a/clusters/tool.json b/clusters/tool.json index 7bb01ecf..eb7a68ac 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1148,6 +1148,7 @@ ] } }, + { "value": "Upatre", "description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. " }, From 8c2c47810ef696b102068c12d01cb6277b125fa2 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 14:00:42 +0100 Subject: [PATCH 46/91] =?UTF-8?q?Locky=20removed=20>=20ransomware=C2=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusters/tool.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index eb7a68ac..c2f5985e 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1119,10 +1119,6 @@ ] } }, - { - "value": "Locky", - "description": "Ransomware" - }, { "value": "Necurs", "description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.", @@ -1394,6 +1390,7 @@ "refs": [ "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" ] + ck } }, { From 8240e5f6615cf3276f70d57ebe0597062b080411 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 14:05:57 +0100 Subject: [PATCH 47/91] =?UTF-8?q?json=20typo=C2=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- clusters/tool.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index c2f5985e..5e9d711e 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1390,7 +1390,6 @@ "refs": [ "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" ] - ck } }, { From b124d8a08d6aa9c7833344bb2e4e3b3ce34fbc6e Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 15:52:08 +0100 Subject: [PATCH 48/91] Follow the format --- clusters/tool.json | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 5e9d711e..d4e84138 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -14,7 +14,7 @@ "Korplug", "Agent.dhwf" ], - "category" : [ + "type" : [ "rat" ] } @@ -26,7 +26,7 @@ "refs" : [ "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" ], - "category" : [ + "type" : [ "rat" ] } @@ -38,7 +38,7 @@ "refs" : [ "https://github.com/AlessandroZ/LaZagne" ], - "category" : [ + "type" : [ "tool" ] } @@ -55,7 +55,7 @@ "Backdoor.Win32.PoisonIvy", "Gen:Trojan.Heur.PT" ], - "category" : [ + "type" : [ "rat" ] } @@ -67,7 +67,7 @@ "refs" : [ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" ], - "category" : [ + "type" : [ "rat" ] } @@ -81,7 +81,7 @@ "synonyms" : [ "Anchor Panda" ], - "category" : [ + "type" : [ "rat" ] } @@ -96,7 +96,7 @@ "Ozone RAT", "ozonercp" ], - "category" : [ + "type" : [ "rat" ] } @@ -113,7 +113,7 @@ "Trojan.Win32.Staser.ytq", "Win32/Zegost.BW" ], - "category" : [ + "type" : [ "rat" ] } @@ -128,7 +128,7 @@ "synonyms" : [ "Elise" ], - "category" : [ + "type" : [ "dropper", "stealer" ] @@ -144,7 +144,7 @@ "synonyms" : [ "Laziok" ], - "category" : [ + "type" : [ "stealer", "reco" ] @@ -163,7 +163,7 @@ "Bankosy", "Acecard" ], - "category" : [ + "type" : [ "spyware", "android" ] @@ -184,7 +184,7 @@ "PWOPyExec", "PWOQuery" ], - "category" : [ + "type" : [ "dropper", "coinminer", "spyware" @@ -202,7 +202,7 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" ], - "category": [ + "type": [ "rat" ] } @@ -217,7 +217,7 @@ "refs": [ "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" ], - "category": [ + "type": [ "rat" ] } From 7265af66128a5041fa81257477045a41069d4a4b Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 16:24:59 +0100 Subject: [PATCH 49/91] go 4 string --- clusters/tool.json | 57 +++++++++++----------------------------------- 1 file changed, 13 insertions(+), 44 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index d4e84138..c59b455e 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -14,9 +14,7 @@ "Korplug", "Agent.dhwf" ], - "type" : [ - "rat" - ] + "type" : "rat" } }, { @@ -26,9 +24,7 @@ "refs" : [ "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" ], - "type" : [ - "rat" - ] + "type" : "rat" } }, { @@ -38,9 +34,7 @@ "refs" : [ "https://github.com/AlessandroZ/LaZagne" ], - "type" : [ - "tool" - ] + "type" : "tool" } }, { @@ -55,9 +49,7 @@ "Backdoor.Win32.PoisonIvy", "Gen:Trojan.Heur.PT" ], - "type" : [ - "rat" - ] + "type" : "rat" } }, { @@ -67,9 +59,7 @@ "refs" : [ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" ], - "type" : [ - "rat" - ] + "type" :"rat" } }, { @@ -81,9 +71,7 @@ "synonyms" : [ "Anchor Panda" ], - "type" : [ - "rat" - ] + "type": "rat" } }, { @@ -113,9 +101,7 @@ "Trojan.Win32.Staser.ytq", "Win32/Zegost.BW" ], - "type" : [ - "rat" - ] + "type" : "rat" } }, { @@ -128,10 +114,7 @@ "synonyms" : [ "Elise" ], - "type" : [ - "dropper", - "stealer" - ] + "type" : "dropper, stealer" } }, { @@ -144,10 +127,7 @@ "synonyms" : [ "Laziok" ], - "type" : [ - "stealer", - "reco" - ] + "type" : "stealer ,reco" } }, { @@ -163,10 +143,7 @@ "Bankosy", "Acecard" ], - "type" : [ - "spyware", - "android" - ] + "type" : "spyware, android" } }, { @@ -184,11 +161,7 @@ "PWOPyExec", "PWOQuery" ], - "type" : [ - "dropper", - "coinminer", - "spyware" - ] + "type" : "dropper, coinminer, spyware" } }, { @@ -202,9 +175,7 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" ], - "type": [ - "rat" - ] + "type": "rat" } }, { @@ -217,9 +188,7 @@ "refs": [ "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" ], - "type": [ - "rat" - ] + "type": "rat" } }, { From a29a5afbe8fa10cf0ee523257b03305a531aa31d Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 23:36:45 +0100 Subject: [PATCH 50/91] update 2 array --- clusters/tool.json | 349 +++++++++++++++++++++++-------------------- schema_clusters.json | 6 +- 2 files changed, 195 insertions(+), 160 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index c59b455e..20e942b7 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1,167 +1,194 @@ { "values": [ - { - "value" : "PlugX", - "description" : "Malware", - "meta" : { - "refs" : [ - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx" - ], - "synonyms" : [ - "Backdoor.FSZO-5117", - "Trojan.Heur.JP.juW@ayZZvMb", - "Trojan.Inject1.6386", - "Korplug", - "Agent.dhwf" - ], - "type" : "rat" - } - }, - { - "value" : "MSUpdater", - "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", - "meta" : { - "refs" : [ - "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" - ], - "type" : "rat" - } - }, - { - "value" : "Lazagne", - "description" : "A password sthealing tool regularly used by attackers", - "meta" : { - "refs" : [ - "https://github.com/AlessandroZ/LaZagne" - ], - "type" : "tool" - } - }, - { - "value" : "Poison Ivy", - "description" : "Poison Ivy is a RAT which was freely available and first released in 2005.", - "meta" : { - "refs" : [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", - "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml" - ], - "synonyms" : [ - "Backdoor.Win32.PoisonIvy", - "Gen:Trojan.Heur.PT" - ], - "type" : "rat" - } - }, - { - "value" : "SPIVY", - "description" : "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", - "meta" : { - "refs" : [ - "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" - ], - "type" :"rat" - } - }, - { - "value" : "Torn RAT", - "meta" : { - "refs" : [ - "https://www.crowdstrike.com/blog/whois-anchor-panda/" - ], - "synonyms" : [ - "Anchor Panda" - ], - "type": "rat" - } - }, - { - "value" : "OzoneRAT", - "meta" : { - "refs" : [ - "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" - ], - "synonyms" : [ - "Ozone RAT", - "ozonercp" - ], - "type" : [ - "rat" - ] - } - }, - { - "value" : "ZeGhost", - "description" : "ZeGhots is a RAT which was freely available and first released in 2014.", - "meta" : { - "refs" : [ - "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW" - ], - "synonyms" : [ - "BackDoor-FBZT!52D84425CDF2", - "Trojan.Win32.Staser.ytq", - "Win32/Zegost.BW" - ], - "type" : "rat" - } - }, - { - "value" : "Elise Backdoor", - "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", - "meta" : { - "refs" : [ - "http://thehackernews.com/2015/08/elise-malware-hacking.html" - ], - "synonyms" : [ - "Elise" - ], - "type" : "dropper, stealer" - } - }, - { - "value" : "Trojan.Laziok", - "description" : "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.", - "meta" : { - "refs" : [ - "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" - ], - "synonyms" : [ - "Laziok" - ], - "type" : "stealer ,reco" - } - }, - { - "value" : "Slempo", - "description" : "Android-based malware", - "meta" : { - "refs" : [ - "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/" - ], - "synonyms" : [ - "GM-Bot", - "SlemBunk", - "Bankosy", - "Acecard" - ], - "type" : "spyware, android" - } - }, - { + { + "value": "PlugX", + "description": "Malware", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx" + ], + "synonyms": [ + "Backdoor.FSZO-5117", + "Trojan.Heur.JP.juW@ayZZvMb", + "Trojan.Inject1.6386", + "Korplug", + "Agent.dhwf" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "MSUpdater", + "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "meta": { + "refs": [ + "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "Lazagne", + "description": "A password sthealing tool regularly used by attackers", + "meta": { + "refs": [ + "https://github.com/AlessandroZ/LaZagne" + ], + "type": [ + "tool" + ] + } + }, + { + "value": "Poison Ivy", + "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", + "meta": { + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", + "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml" + ], + "synonyms": [ + "Backdoor.Win32.PoisonIvy", + "Gen:Trojan.Heur.PT" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "SPIVY", + "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "Torn RAT", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/whois-anchor-panda/" + ], + "synonyms": [ + "Anchor Panda" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "OzoneRAT", + "meta": { + "refs": [ + "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" + ], + "synonyms": [ + "Ozone RAT", + "ozonercp" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "ZeGhost", + "description": "ZeGhots is a RAT which was freely available and first released in 2014.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW" + ], + "synonyms": [ + "BackDoor-FBZT!52D84425CDF2", + "Trojan.Win32.Staser.ytq", + "Win32/Zegost.BW" + ], + "type": [ + "rat" + ] + } + }, + { + "value": "Elise Backdoor", + "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "meta": { + "refs": [ + "http://thehackernews.com/2015/08/elise-malware-hacking.html" + ], + "synonyms": [ + "Elise" + ], + "type": [ + "dropper", + "stealer" + ] + } + }, + { + "value": "Trojan.Laziok", + "description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.", + "meta": { + "refs": [ + "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" + ], + "synonyms": [ + "Laziok" + ], + "type": [ + "stealer", + "reco" + ] + } + }, + { + "value": "Slempo", + "description": "Android-based malware", + "meta": { + "refs": [ + "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/" + ], + "synonyms": [ + "GM-Bot", + "SlemBunk", + "Bankosy", + "Acecard" + ], + "type": [ + "spyware", + "android" + ] + } + }, + { "value": "PWOBot", "description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", "meta": { "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" ], - "synonyms" : [ - "PWOLauncher", - "PWOHTTPD", - "PWOKeyLogger", - "PWOMiner", - "PWOPyExec", - "PWOQuery" + "synonyms": [ + "PWOLauncher", + "PWOHTTPD", + "PWOKeyLogger", + "PWOMiner", + "PWOPyExec", + "PWOQuery" ], - "type" : "dropper, coinminer, spyware" + "type": [ + "dropper", + "miner", + "spyware" + ] } }, { @@ -175,7 +202,9 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" ], - "type": "rat" + "type": [ + "rat" + ] } }, { @@ -188,7 +217,9 @@ "refs": [ "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" ], - "type": "rat" + "type": [ + "rat" + ] } }, { @@ -198,7 +229,7 @@ "NanoCore", "Nancrat", "Zurten", - "Atros2.CKPN" + "Atros2.CKPN" ], "refs": [ "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter", diff --git a/schema_clusters.json b/schema_clusters.json index 780bfe14..cf64f74c 100644 --- a/schema_clusters.json +++ b/schema_clusters.json @@ -74,7 +74,11 @@ "type": "string" }, "type": { - "type": "string" + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } }, "impact": { "type": "string" From d502d5b5bfb31d12bd858c133e9d90ed6de018d4 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Fri, 24 Feb 2017 23:46:44 +0100 Subject: [PATCH 51/91] fix side victims of schemaupdate --- clusters/preventive-measure.json | 68 ++++++++++++++++++++++++-------- clusters/tds.json | 28 +++++++++---- 2 files changed, 72 insertions(+), 24 deletions(-) diff --git a/clusters/preventive-measure.json b/clusters/preventive-measure.json index a9f9089d..fd9c8672 100644 --- a/clusters/preventive-measure.json +++ b/clusters/preventive-measure.json @@ -8,7 +8,9 @@ "complexity": "Medium", "effectiveness": "High", "impact": "Low", - "type": "Recovery" + "type": [ + "Recovery" + ] }, "value": "Backup and Restore Process", "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore" @@ -22,7 +24,9 @@ "complexity": "Low", "effectiveness": "High", "impact": "Low", - "type": "GPO" + "type": [ + "GPO" + ] }, "value": "Block Macros", "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros" @@ -35,7 +39,9 @@ "complexity": "Low", "effectiveness": "Medium", "impact": "Medium", - "type": "GPO", + "type": [ + "GPO" + ], "possible_issues": "Administrative VBS scripts on Workstations" }, "value": "Disable WSH", @@ -46,7 +52,9 @@ "complexity": "Low", "effectiveness": "Medium", "impact": "Low", - "type": "Mail Gateway" + "type": [ + "Mail Gateway" + ] }, "value": "Filter Attachments Level 1", "description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub" @@ -56,7 +64,9 @@ "complexity": "Low", "effectiveness": "High", "impact": "High", - "type": "Mail Gateway", + "type": [ + "Mail Gateway" + ], "possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) " }, "value": "Filter Attachments Level 2", @@ -71,7 +81,9 @@ "complexity": "Medium", "effectiveness": "Medium", "impact": "Medium", - "type": "GPO", + "type": [ + "GPO" + ], "possible_issues": "Web embedded software installers" }, "value": "Restrict program execution", @@ -85,7 +97,9 @@ "complexity": "Low", "effectiveness": "Low", "impact": "Low", - "type": "User Assistence" + "type": [ + "User Assistence" + ] }, "value": "Show File Extensions", "description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")" @@ -98,7 +112,9 @@ "complexity": "Low", "effectiveness": "Medium", "impact": "Low", - "type": "GPO", + "type": [ + "GPO" + ], "possible_issues": "administrator resentment" }, "value": "Enforce UAC Prompt", @@ -109,7 +125,9 @@ "complexity": "Medium", "effectiveness": "Medium", "impact": "Medium", - "type": "Best Practice", + "type": [ + "Best Practice" + ], "possible_issues": "igher administrative costs" }, "value": "Remove Admin Privileges", @@ -120,7 +138,9 @@ "complexity": "Medium", "effectiveness": "Low", "impact": "Low", - "type": "Best Practice" + "type": [ + "Best Practice" + ] }, "value": "Restrict Workstation Communication", "description": "Activate the Windows Firewall to restrict workstation to workstation communication" @@ -129,7 +149,9 @@ "meta": { "complexity": "Medium", "effectiveness": "High", - "type": "Advanced Malware Protection" + "type": [ + "Advanced Malware Protection" + ] }, "value": "Sandboxing Email Input", "description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis" @@ -138,7 +160,9 @@ "meta": { "complexity": "Medium", "effectiveness": "Medium", - "type": "3rd Party Tools" + "type": [ + "3rd Party Tools" + ] }, "value": "Execution Prevention", "description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor" @@ -151,7 +175,9 @@ "complexity": "Low", "effectiveness": "Medium", "impact": "Medium", - "type": "GPO", + "type": [ + "GPO" + ], "possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts." }, "value": "Change Default \"Open With\" to Notepad", @@ -165,7 +191,9 @@ "complexity": "Low", "effectiveness": "Medium", "impact": "Low", - "type": "Monitoring" + "type": [ + "Monitoring" + ] }, "value": "File Screening", "description": "Server-side file screening with the help of File Server Resource Manager" @@ -179,7 +207,9 @@ "complexity": "Medium", "effectiveness": "Medium", "impact": "Medium", - "type": "GPO", + "type": [ + "GPO" + ], "possible_issues": "Configure & test extensively" }, "value": "Restrict program execution #2", @@ -194,7 +224,9 @@ "complexity": "Medium", "effectiveness": "Medium", "impact": "Low", - "type": "GPO" + "type": [ + "GPO" + ] }, "value": "EMET", "description": "Detect and block exploitation techniques" @@ -207,7 +239,9 @@ "complexity": "Medium", "effectiveness": "Low", "impact": "Low", - "type": "3rd Party Tools" + "type": [ + "3rd Party Tools" + ] }, "value": "Sysmon", "description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring" diff --git a/clusters/tds.json b/clusters/tds.json index 5cbf9963..6a06fbba 100755 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -7,7 +7,9 @@ "refs": [ "https://keitarotds.com/" ], - "type": "Commercial" + "type": [ + "Commercial" + ] } }, { @@ -17,7 +19,9 @@ "refs": [ "http://kytoon.com/sutra-tds.html" ], - "type": "Commercial" + "type": [ + "Commercial" + ] } }, { @@ -30,7 +34,9 @@ "synonyms": [ "Stds" ], - "type": "OpenSource" + "type": [ + "OpenSource" + ] } }, { @@ -40,7 +46,9 @@ "refs": [ "http://bosstds.com/" ], - "type": "Commercial" + "type": [ + "Commercial" + ] } }, { @@ -50,21 +58,27 @@ "refs": [ "http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html" ], - "type": "Underground" + "type": [ + "Underground" + ] } }, { "value": "Futuristic TDS", "description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer", "meta": { - "type": "Underground" + "type": [ + "Underground" + ] } }, { "value": "Orchid TDS", "description": "Orchid TDS was sold underground. Rare usage", "meta": { - "type": "Underground" + "type": [ + "Underground" + ] } } ], From 50d2b1c87126dd395a246d3cf4602956b8150b04 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 00:42:44 +0100 Subject: [PATCH 52/91] go for caro, add hi-zor --- clusters/tool.json | 56 +++++++++++++++++++++++++++++++--------------- 1 file changed, 38 insertions(+), 18 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 20e942b7..5469aecb 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -15,7 +15,7 @@ "Agent.dhwf" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -27,7 +27,7 @@ "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -39,7 +39,7 @@ "https://github.com/AlessandroZ/LaZagne" ], "type": [ - "tool" + "HackTool" ] } }, @@ -56,7 +56,7 @@ "Gen:Trojan.Heur.PT" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -68,7 +68,7 @@ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -82,7 +82,7 @@ "Anchor Panda" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -97,7 +97,7 @@ "ozonercp" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -114,13 +114,13 @@ "Win32/Zegost.BW" ], "type": [ - "rat" + "Backdoor" ] } }, { "value": "Elise Backdoor", - "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "description": "Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", "meta": { "refs": [ "http://thehackernews.com/2015/08/elise-malware-hacking.html" @@ -130,7 +130,7 @@ ], "type": [ "dropper", - "stealer" + "PWS" ] } }, @@ -145,7 +145,7 @@ "Laziok" ], "type": [ - "stealer", + "PWS", "reco" ] } @@ -164,8 +164,8 @@ "Acecard" ], "type": [ - "spyware", - "android" + "Spyware", + "AndroidOS" ] } }, @@ -185,9 +185,9 @@ "PWOQuery" ], "type": [ - "dropper", - "miner", - "spyware" + "Dropper", + "Miner", + "Spyware" ] } }, @@ -203,7 +203,7 @@ "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -218,7 +218,7 @@ "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" ], "type": [ - "rat" + "Backdoor" ] } }, @@ -234,6 +234,9 @@ "refs": [ "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter", "https://nanocore.io/" + ], + "type": [ + "Backdoor" ] } }, @@ -242,6 +245,23 @@ "meta": { "synonyms": [ "Sakurel" + ], + "refs": [ + "https://www.secureworks.com/research/sakula-malware-family" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "Hi-ZOR", + "meta": { + "refs": [ + "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html" + ], + "type": [ + "Backdoor" ] } }, From bce60b0318bf06c93d8dc5b58674cdb94b8dd735 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 01:06:19 +0100 Subject: [PATCH 53/91] merge IEchecker et sasfi --- clusters/tool.json | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 5469aecb..c6365680 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -271,9 +271,6 @@ { "value": "EvilGrab" }, - { - "value": "IEChecker" - }, { "value": "Trojan.Naid" }, @@ -496,10 +493,15 @@ "description": "credential harvester", "meta": { "synonyms": [ - "Sasfis" + "Sasfis", + "BackDoor-FDU", + "IEChecker" ], "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "type": [ + "PWS" ] } }, From e98de5cb5eab6e404d5940d0e1ab8f1853381cc1 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 01:12:42 +0100 Subject: [PATCH 54/91] add derusbi --- clusters/tool.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index c6365680..bfb41542 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -266,7 +266,19 @@ } }, { - "value": "Derusbi" + "value": "Derusbi", + "meta": { + "synonyms": [ + "TROJ_DLLSERV.BE" + ], + "refs": [ + "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", + "https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "EvilGrab" @@ -498,6 +510,7 @@ "IEChecker" ], "refs": [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_sasfis.tl", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" ], "type": [ From 724e836ae93e2c4795dc18458459e65ec72d478e Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 01:18:03 +0100 Subject: [PATCH 55/91] remove coreshell duplicate --- clusters/tool.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index bfb41542..fab733ff 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -270,7 +270,7 @@ "meta": { "synonyms": [ "TROJ_DLLSERV.BE" - ], + ], "refs": [ "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", "https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf" @@ -439,9 +439,6 @@ ] } }, - { - "value": "CORESHELL" - }, { "value": "CHOPSTICK", "description": "backdoor", From 59b5ed6c1bdd1b7a9152e2b52ac78cd898ead5f4 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 01:30:10 +0100 Subject: [PATCH 56/91] update evilgrab --- clusters/tool.json | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index fab733ff..b2137edc 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -281,7 +281,22 @@ } }, { - "value": "EvilGrab" + "value": "EvilGrab", + "meta": { + "synonyms": [ + "BKDR_HGDER", + "BKDR_EVILOGE", + "BKDR_NVICM", + "Wmonder" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/", + "http://researchcenter.paloaltonetworks.com/2015/06/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "Trojan.Naid" From 7eb98609a36bf0ac7d47a9d95801de2eb366a144 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 01:42:33 +0100 Subject: [PATCH 57/91] udpate trojan.main --- clusters/tool.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index b2137edc..a77699f7 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -299,7 +299,25 @@ } }, { - "value": "Trojan.Naid" + "value": "Trojan.Naid", + "meta": { + "synonyms": [ + "Naid", + "Mdmbot.E", + "AGENT.GUNZ", + "AGENT.AQUP.DROPPER", + "AGENT.BMZA", + "MCRAT.A", + "AGENT.ABQMR" + ], + "refs": [ + "https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid", + "http://telussecuritylabs.com/threats/show/TSL20120614-05" + ], + "type": [ + "Dropper" + ] + } }, { "value": "Backdoor.Moudoor" From 3d79a82bf5acdbca00c0e5e3b44aa4319cd5d404 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 02:08:51 +0100 Subject: [PATCH 58/91] Add Tinba banking --- clusters/tool.json | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index a77699f7..f474d8c0 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1,5 +1,23 @@ { "values": [ + { + "value": "Tinba", + "description": "Banking Malware", + "meta": { + "refs": [ + "https://thehackernews.com/search/label/Zusy%20Malware", + "http://blog.trendmicro.com/trendlabs-security-intelligence/the-tinbatinybanker-malware/" + ], + "synonyms": [ + "Hunter", + "Zusy", + "TinyBanker" + ], + "type": [ + "Banking" + ] + } + }, { "value": "PlugX", "description": "Malware", From d4e3a08995ff94e41e6c754a8ff6fa9f82e5819e Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 02:22:30 +0100 Subject: [PATCH 59/91] add moudor info --- clusters/tool.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index f474d8c0..ed82b3dc 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -338,7 +338,21 @@ } }, { - "value": "Backdoor.Moudoor" + "value": "Moudoor", + "description": "Backdoor.Moudoor, a customized version of Gh0st RAT", + "meta": { + "synonyms": [ + "SCAR", + "KillProc.14145" + ], + "refs": [ + "http://www.darkreading.com/attacks-breaches/elite-chinese-cyberspy-group-behind-bit9-hack/d/d-id/1140495", + "https://securityledger.com/2013/09/apt-for-hire-symantec-outs-hidden-lynx-hacking-crew/" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "NetTraveler" From 47903f839401ba47d2083793cff5d87a2ce22849 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 02:28:43 +0100 Subject: [PATCH 60/91] add info to the famous mimikatz --- clusters/tool.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index ed82b3dc..9562a70a 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -361,7 +361,19 @@ "value": "Winnti" }, { - "value": "Mimikatz" + "value": "Mimikatz", + "description": "Ease Credential stealh and replay, A little tool to play with Windows security.", + "meta": { + "synonyms": [ + "Mikatz" + ], + "refs": [ + "https://github.com/gentilkiwi/mimikatz" + ], + "type": [ + "HackTool" + ] + } }, { "value": "WEBC2" From 2c263b91ded31aeb76a03314f2c5b8964aad8b4c Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sat, 25 Feb 2017 10:23:51 +0100 Subject: [PATCH 61/91] modify validators to check json an format, stop on any error --- jq_all_the_things.sh | 15 +++++++++++++-- validate_all.sh | 35 ++++++++++++++++++++++++++--------- 2 files changed, 39 insertions(+), 11 deletions(-) diff --git a/jq_all_the_things.sh b/jq_all_the_things.sh index 16e241ef..2d9cc620 100755 --- a/jq_all_the_things.sh +++ b/jq_all_the_things.sh @@ -1,17 +1,28 @@ #!/bin/bash +# Seeds sponge, from moreutils + +#Validate all Jsons first +for dir in `find . -name "*.json"` +do + echo validating ${dir} + cat ${dir} | jq . >/dev/null + rc=$? + if [[ $rc != 0 ]]; then exit $rc; fi +done + set -e set -x -# Seeds sponge, from moreutils - for dir in clusters/*.json do + # Beautify it cat ${dir} | jq . | sponge ${dir} done for dir in galaxies/*.json do + # Beautify it cat ${dir} | jq . | sponge ${dir} done diff --git a/validate_all.sh b/validate_all.sh index bcf06407..455c64d1 100755 --- a/validate_all.sh +++ b/validate_all.sh @@ -1,21 +1,34 @@ #!/bin/bash +# Check Jsons format, and beautify +./jq_all_the_things.sh +rc=$? +if [[ $rc != 0 ]]; then + exit $rc +fi + set -e set -x -./jq_all_the_things.sh - -diffs=`git status --porcelain | wc -l` - -if ! [ $diffs -eq 0 ]; then - echo "Please make sure you run ./jq_all_the_things.sh before commiting." - exit 1 -fi +# fixme to remove.. +# Not need anymore ow, jq stop upon error... +# diffs=`git status --porcelain | wc -l` +# +#if ! [ $diffs -eq 0 ]; then +# echo "Please make sure you run ./jq_all_the_things.sh before commiting." +# exit +#fi +# Validate schemas for dir in clusters/*.json do echo -n "${dir}: " jsonschema -i ${dir} schema_clusters.json + rc=$? + if [[ $rc != 0 ]]; then + echo "Error on ${dir}" + exit $rc + fi echo '' done @@ -23,6 +36,10 @@ for dir in galaxies/*.json do echo -n "${dir}: " jsonschema -i ${dir} schema_galaxies.json + rc=$? + if [[ $rc != 0 ]]; then + echo "Error on ${dir}" + exit $rc + fi echo '' done - From 5c0feb1b1a950d7a283ab7da4e36954aeb155d83 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 02:53:06 +0100 Subject: [PATCH 62/91] add tool to find duplicate --- tools/chk_dup.py | 51 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100755 tools/chk_dup.py diff --git a/tools/chk_dup.py b/tools/chk_dup.py new file mode 100755 index 00000000..2ed2f897 --- /dev/null +++ b/tools/chk_dup.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python3 +# coding=utf-8 +""" + Tools to find duplicate in galaxies +""" +import json +import os +import collections + + +def loadjsons(path): + """ + Find all Jsons and load them in a dict + """ + files = [] + data = [] + for name in os.listdir(path): + if os.path.isfile(os.path.join(path, name)) and name.endswith('.json'): + files.append(name) + for jfile in files: + data.append(json.load(open("%s/%s" % (path, jfile)))) + return data + +if __name__ == '__main__': + """ + Iterate all name + synonyms + tell what is duplicated. + """ + jsons = loadjsons("../clusters") + counter = collections.Counter() + namespace = [] + for djson in jsons: + items = djson.get('values') + for entry in items: + name = entry.get('value').strip().lower() + counter[name]+=1 + namespace.append([name, djson.get('name')]) + try: + for synonym in entry.get('meta').get('synonyms'): + name = synonym.strip().lower() + counter[name]+=1 + namespace.append([name, djson.get('name')]) + except (AttributeError, TypeError): + pass + counter = dict(counter) + for key, val in counter.items(): + if val>1: + print ("Warning duplicate %s" % key) + for item in namespace: + if item[0]==key: + print (item) From 3073877d105c4c10af26b104389f8ab721fe32e4 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 03:16:41 +0100 Subject: [PATCH 63/91] block by default, but usable anyway with param --- validate_all.sh | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/validate_all.sh b/validate_all.sh index 455c64d1..31f47d76 100755 --- a/validate_all.sh +++ b/validate_all.sh @@ -1,5 +1,11 @@ #!/bin/bash +# This file launch all validation of the jsons and schemas +# By default, It stop on file not commited. + +# you could test with command ./validate_all.sh something + + # Check Jsons format, and beautify ./jq_all_the_things.sh rc=$? @@ -10,14 +16,13 @@ fi set -e set -x -# fixme to remove.. -# Not need anymore ow, jq stop upon error... -# diffs=`git status --porcelain | wc -l` -# -#if ! [ $diffs -eq 0 ]; then -# echo "Please make sure you run ./jq_all_the_things.sh before commiting." -# exit -#fi +diffs=`git status --porcelain | wc -l` +if ! [ $diffs -eq 0 ]; then + echo "Please make sure you run ./jq_all_the_things.sh before commiting." + if [ $# -eq 0 ]; then + exit 1 + fi +fi # Validate schemas for dir in clusters/*.json From afe682cf3f53ccd79753fe5af2c0ad0bd2c3f9b8 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 16:52:59 +0100 Subject: [PATCH 64/91] Remove duplicate AlienSpy --- clusters/tool.json | 4 ---- 1 file changed, 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 9562a70a..f81668a8 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -439,10 +439,6 @@ "value": "Dark Comet", "description": "RAT initialy identified in 2011 and still actively used." }, - { - "value": "AlienSpy", - "description": "RAT for Apple OS X platforms" - }, { "value": "Cadelspy", "meta": { From 93df12be35d13e560934988c5238db596c81c561 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 17:06:19 +0100 Subject: [PATCH 65/91] update apt28 tools --- clusters/tool.json | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index f81668a8..7ae92a6c 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -514,32 +514,38 @@ }, { "value": "CHOPSTICK", - "description": "backdoor", + "description": "backdoor used by apt28 ", "meta": { "synonyms": [ - "Xagent", "webhp", "SPLM", "(.v2 fysbis)" ], "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "possible_issues": "Report tells that is could be Xagent alias (Java Rat)", + "type": [ + "Backdoor" ] } }, { "value": "EVILTOSS", - "description": "backdoor", + "description": "backdoor used by apt28", "meta": { "synonyms": [ "Sedreco", "AZZY", - "Xagent", "ADVSTORESHELL", "NETUI" ], "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "possible_issues": "Report tells that is could be Xagent alias (Java Rat)", + "type": [ + "Backdoor" ] } }, From 7d62d8c3e7fd3b391873ba6545d4af2febb35053 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 17:08:43 +0100 Subject: [PATCH 66/91] cleanup zeus duplicate in alias and name --- clusters/tool.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 7ae92a6c..032d7234 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1387,8 +1387,7 @@ "meta": { "synonyms": [ "Trojan.Zbot", - "Zbot", - "ZeuS" + "Zbot" ], "refs": [ "https://en.wikipedia.org/wiki/Zeus_(malware)", From 8de827977ce93217b4c118245330a5e49349f057 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 19:21:41 +0100 Subject: [PATCH 67/91] Pimp nettraveler --- clusters/tool.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 032d7234..bc3daf24 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -355,7 +355,20 @@ } }, { - "value": "NetTraveler" + "value": "NetTraveler", + "description": "APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.", + "meta": { + "synonyms": [ + "TravNet", + "Netfile" + ], + "refs": [ + "https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "Winnti" From 0775bfce6298c3558741ebd5105b4fbc66327996 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 19:26:21 +0100 Subject: [PATCH 68/91] pimp winnti --- clusters/tool.json | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index bc3daf24..56e6d543 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -356,7 +356,7 @@ }, { "value": "NetTraveler", - "description": "APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.", + "description": "APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.", "meta": { "synonyms": [ "TravNet", @@ -371,7 +371,21 @@ } }, { - "value": "Winnti" + "value": "Winnti", + "description": "APT used As part of Operation SMN, Novetta analyzed recent versions of the Winnti malware. The samples, compiled from mid- to late 2014, exhibited minimal functional changes over the previous generations Kaspersky reported in 2013.", + "meta": { + "synonyms": [ + "Etso", + "SUQ", + "Agent.ALQHI" + ], + "refs": [ + "https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "Mimikatz", From 6e78746a6cb030003e3caebfa7a53438045fd450 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 19:37:10 +0100 Subject: [PATCH 69/91] pimp webc2 --- clusters/tool.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 56e6d543..b4a9d1cf 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -403,7 +403,17 @@ } }, { - "value": "WEBC2" + "value": "WEBC2", + "description": "Backdoor attribued to APT1", + "meta": { + "refs": [ + "https://github.com/gnaegle/cse4990-practical3", + "https://www.securestate.com/blog/2013/02/20/apt-if-it-aint-broke" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "Pirpi", From ca68abc0e816c38e976d41bdd3bbf923cd97e9ef Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 19:56:17 +0100 Subject: [PATCH 70/91] Pimp Pirpi. Hard to say:) --- clusters/tool.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index b4a9d1cf..cc6af7f2 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -417,9 +417,17 @@ }, { "value": "Pirpi", + "description": "Symantec has observed Buckeye activity dating back to 2009, involving attacks on various organizations in several regions. Buckeye used a remote access Trojan (Backdoor.Pirpi) in attacks against a US organization’s network in 2009. The group delivered Backdoor.Pirpi through malicious attachments or links in convincing spear-phishing emails.", "meta": { + "synonyms": [ + "Badey", + "EXL" + ], "refs": [ "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + ], + "type": [ + "Backdoor" ] } }, From cdc80e5596218bec148009f3ff6de91310e24bcc Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 20:02:34 +0100 Subject: [PATCH 71/91] Pimp RarStone --- clusters/tool.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index cc6af7f2..ea337c49 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -432,7 +432,16 @@ } }, { - "value": "RARSTONE" + "value": "RARSTONE", + "description": "RARSTONE is a Remote Access Tool (RAT) discovered early 2013 by TrendMicro, it’s characterized by a great affinity with the other RAT know as Plug is and was used in April for phishing campaigns that followed the dramatic attack to the Boston Marathon.", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "BACKSPACe" From 0d0ba42f1506d2c7b576220e309f4aa8ec6bee10 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 20:16:46 +0100 Subject: [PATCH 72/91] Pimp lecna/Backspace --- clusters/tool.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index ea337c49..86fc9481 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -444,7 +444,20 @@ } }, { - "value": "BACKSPACe" + "value": "BACKSPACe", + "description": "Backspace is a Backdoor that targets the Windows platform. This malware is reportedly associated with targeted attacks against Association of Southeast Asian Nations (ASEAN) members (APT30).", + "meta": { + "synonyms": [ + "Lecna" + ], + "refs": [ + "https://www2.fireeye.com/WEB-2015RPTAPT30.html", + "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "XSControl" From 51eee31c216a64a237fd3c7c6a9ac865893126cc Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 20:16:59 +0100 Subject: [PATCH 73/91] Pimp lecna/Backspace --- clusters/tool.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 86fc9481..60ab3444 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -444,7 +444,7 @@ } }, { - "value": "BACKSPACe", + "value": "Backspace", "description": "Backspace is a Backdoor that targets the Windows platform. This malware is reportedly associated with targeted attacks against Association of Southeast Asian Nations (ASEAN) members (APT30).", "meta": { "synonyms": [ From b400edbe9bad5514ebd641353d01d6e3c9d477a8 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 20:40:44 +0100 Subject: [PATCH 74/91] Update Xagent from aptnote Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web(02-23-2017) --- clusters/tool.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 60ab3444..72f1a371 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1126,12 +1126,17 @@ }, { "value": "X-Agent", + "description": "This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.", "meta": { "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/", + "https://app.box.com/s/l7n781ig6n8wlf1aff5hgwbh4qoi5jqq" ], "synonyms": [ "XAgent" + ], + "type": [ + "Backdoor" ] } }, From f4584f39005c176a1f1c06846903b3c1f6e3519c Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 22:41:51 +0100 Subject: [PATCH 75/91] pimp xscontrol --- clusters/tool.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 72f1a371..3025a768 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -460,7 +460,17 @@ } }, { - "value": "XSControl" + "value": "XSControl", + "description": "Backdoor user by he Naikon APT group", + "meta": { + "refs": [ + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "https://kasperskycontenthub.com/securelist/files/2015/05/TheNaikonAPT-MsnMM.pdf" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "NETEAGLE" @@ -628,6 +638,9 @@ ], "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "type": [ + "Backdoor" ] } }, From b865342f2e3c8bc0f2726f8e670c96245617e5e6 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 22:47:16 +0100 Subject: [PATCH 76/91] pimp xneteagle --- clusters/tool.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 3025a768..46a361bf 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -473,7 +473,21 @@ } }, { - "value": "NETEAGLE" + "value": "Neteagle", + "description": "NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as Scout and Norton.", + "meta": { + "refs": [ + "https://attack.mitre.org/wiki/Software/S0034", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [ + "scout", + "norton" + ], + "type": [ + "Backdoor" + ] + } }, { "value": "Agent.BTZ", From 2d658a657779df6087ab92e61091614f5d894b22 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 22:53:51 +0100 Subject: [PATCH 77/91] pimp comrat --- clusters/tool.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index 46a361bf..645896e1 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -491,9 +491,16 @@ }, { "value": "Agent.BTZ", + "description": "In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit.", "meta": { "synonyms": [ "ComRat" + ], + "refs": [ + "https://blog.gdatasoftware.com/2015/01/23927-evolution-of-sophisticated-spyware-from-agent-btz-to-comrat" + ], + "type": [ + "Backdoor" ] } }, From 3774f0523730214c3a35b681e2ba6a3248317f51 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 23:07:42 +0100 Subject: [PATCH 78/91] Somes alias fetch from : https://attack.mitre.org/wiki/Groups --- clusters/threat-actor.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3197fee2..c7d03b71 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9,7 +9,8 @@ "Advanced Persistent Threat 1", "Byzantine Candor", "Group 3", - "TG-8223" + "TG-8223", + "Comment Group" ], "country": "CN", "refs": [ @@ -670,7 +671,9 @@ "synonyms": [ "Operation Cleaver", "Tarh Andishan", - "Alibaba" + "Alibaba", + "2889", + "TG-2889" ], "refs": [ "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" @@ -1100,6 +1103,10 @@ }, { "meta": { + "synonyms": [ + "TG-3390", + "Emissary Panda" + ], "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", "https://attack.mitre.org" From f1ea577e9559ef4039741816573a32b3f0cbfd1f Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 23:24:51 +0100 Subject: [PATCH 79/91] pimp and agreggate turla --- clusters/tool.json | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 645896e1..1a1513da 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -525,10 +525,22 @@ } }, { - "value": "Turla" - }, - { - "value": "Uroburos" + "value": "Turla", + "description": "Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver).", + "meta": { + "synonyms": [ + "Snake", + "Uroburos", + "Urouros" + ], + "refs": [ + "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf" + ], + "type": [ + "Backdoor", + "Rootkit" + ] + } }, { "value": "Winexe" From 849ca3ebbc22315bd4ab6a53bc7ef3be05959ee1 Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Sun, 26 Feb 2017 23:38:50 +0100 Subject: [PATCH 80/91] Pimp Epic turla --- clusters/tool.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 1a1513da..6ca44546 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -517,10 +517,16 @@ "meta": { "synonyms": [ "Tavdig", - "Epic Turla" + "Epic Turla", + "WorldCupSec", + "TadjMakhal" ], "refs": [ + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" + ], + "type": [ + "Backdoor" ] } }, From 9eb2d097f2d49898a308999b6e129e2a80fd9ccb Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Mon, 27 Feb 2017 00:23:56 +0100 Subject: [PATCH 81/91] add a bunch of rat from ratdecoder list --- clusters/tool.json | 422 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 421 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 6ca44546..cfb99e28 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -518,7 +518,7 @@ "synonyms": [ "Tavdig", "Epic Turla", - "WorldCupSec", + "WorldCupSec", "TadjMakhal" ], "refs": [ @@ -1626,6 +1626,426 @@ ] } }, + { + "value": "adzok", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "albertino", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "arcom", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "blacknix", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "bluebanana", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "bozok", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "clientmesh", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "crimson", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "cybergate", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "darkcomet", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "darkrat", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "gh0st", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "greame", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "hawkeye", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "javadropper", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "lostdoor", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "luxnet", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "pandora", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "poisonivy", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "predatorpain", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "punisher", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "qrat", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "shadowtech", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "smallnet", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "spygate", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "template", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "tapaoux", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "vantom", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "virusrat", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "xena", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "xtreme", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "darkddoser", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "jspy", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "njrat", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, + { + "value": "xrat", + "description": "Remote Access Trojan", + "meta": { + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ], + "type": [ + "Backdoor" + ] + } + }, { "value": "PupyRAT", "description": "Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python.", From 07cc13feb88a71521fec1adbec3d03f6b3c16c1d Mon Sep 17 00:00:00 2001 From: Thanat0s Date: Mon, 27 Feb 2017 00:38:39 +0100 Subject: [PATCH 82/91] remove duplicate of ratdecode import --- clusters/tool.json | 33 ++++++++------------------------- 1 file changed, 8 insertions(+), 25 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index cfb99e28..fafb104d 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -233,7 +233,8 @@ "Jorik" ], "refs": [ - "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf" + "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf", + "https://github.com/kevthehermit/RATDecoders/blob/master/yaraRules/njRat.yar" ], "type": [ "Backdoor" @@ -1238,6 +1239,9 @@ "meta": { "refs": [ "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ], + "type": [ + "Backdoor" ] } }, @@ -1247,6 +1251,9 @@ "meta": { "refs": [ "http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" + ], + "type": [ + "Backdoor" ] } }, @@ -1710,18 +1717,6 @@ ] } }, - { - "value": "crimson", - "description": "Remote Access Trojan", - "meta": { - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ], - "type": [ - "Backdoor" - ] - } - }, { "value": "cybergate", "description": "Remote Access Trojan", @@ -2022,18 +2017,6 @@ ] } }, - { - "value": "njrat", - "description": "Remote Access Trojan", - "meta": { - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ], - "type": [ - "Backdoor" - ] - } - }, { "value": "xrat", "description": "Remote Access Trojan", From 048b831f53821d8bc0e8349ac575ab0a7d0ff152 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Mon, 27 Feb 2017 11:00:48 +0100 Subject: [PATCH 83/91] minor correction --- clusters/threat-actor.json | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c7d03b71..3dd6952b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -720,7 +720,6 @@ "TG-4127", "Group-4127", "STRONTIUM", - "Grey-Cloud", "TAG_0700" ], "country": "RU", @@ -1229,16 +1228,12 @@ { "meta": { "synonyms": [ - "Grey-Pro", - "Coldriver", "Reuse team", - "Malware reusers", - "Callisto Group", "Dancing Salome" ] }, "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.", - "value": "Callisto" + "value": "Malware reusers" }, { "value": "TERBIUM", From a224c7ce5e281b2dbbb98748a6ed975733ec1c88 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 28 Feb 2017 09:17:33 +0100 Subject: [PATCH 84/91] add: Gamaredon Group added --- clusters/threat-actor.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3dd6952b..bdcd282e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1375,6 +1375,15 @@ "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" ] } + }, + { + "value": "Gamaredon Group", + "description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution" + ] + } } ], "name": "Threat actor", @@ -1389,5 +1398,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 15 + "version": 16 } From e934f88b3b820723de215438420e065d5eee552c Mon Sep 17 00:00:00 2001 From: Chris Doman Date: Wed, 1 Mar 2017 12:53:52 +0000 Subject: [PATCH 85/91] Added references Mostly added references to existing groups Capitalised DarkHotel, put a space in APT30 default name (the others had that) --- clusters/threat-actor.json | 2682 +++++++++++++++++------------------- 1 file changed, 1294 insertions(+), 1388 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bdcd282e..cc1cf9ad 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1,1391 +1,1297 @@ { - "values": [ - { - "meta": { - "synonyms": [ - "Comment Panda", - "PLA Unit 61398", - "APT 1", - "Advanced Persistent Threat 1", - "Byzantine Candor", - "Group 3", - "TG-8223", - "Comment Group" - ], - "country": "CN", - "refs": [ - "https://en.wikipedia.org/wiki/PLA_Unit_61398", - "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf" - ] - }, - "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", - "value": "Comment Crew" - }, - { - "meta": { - "country": "CN" - }, - "value": "Stalker Panda" - }, - { - "value": "Nitro", - "meta": { - "country": "CN", - "refs": [ - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf" - ], - "synonyms": [ - "Covert Grove" - ] - } - }, - { - "value": "Codoso", - "meta": { - "country": "CN", - "refs": [ - "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" - ], - "synonyms": [ - "C0d0so", - "Sunshop Group" - ] - } - }, - { - "meta": { - "refs": [ - "https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf" - ] - }, - "value": "Dust Storm" - }, - { - "value": "Karma Panda", - "description": "Adversary targeting dissident groups in China and its surroundings.", - "meta": { - "country": "CN", - "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - } - }, - { - "meta": { - "country": "CN" - }, - "value": "Keyhole Panda" - }, - { - "meta": { - "country": "CN" - }, - "value": "Wet Panda" - }, - { - "meta": { - "country": "CN" - }, - "value": "Foxy Panda", - "description": "Adversary group targeting telecommunication and technology organizations." - }, - { - "meta": { - "country": "CN" - }, - "value": "Predator Panda" - }, - { - "meta": { - "country": "CN" - }, - "value": "Union Panda" - }, - { - "meta": { - "country": "CN" - }, - "value": "Spicy Panda" - }, - { - "meta": { - "country": "CN" - }, - "value": "Eloquent Panda" - }, - { - "meta": { - "synonyms": [ - "LadyBoyle" - ] - }, - "value": "Dizzy Panda" - }, - { - "meta": { - "synonyms": [ - "PLA Unit 61486", - "APT 2", - "Group 36", - "APT-2", - "MSUpdater", - "4HCrew", - "SULPHUR", - "TG-6952" - ], - "country": "CN", - "refs": [ - "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" - ] - }, - "description": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486. ", - "value": "Putter Panda" - }, - { - "meta": { - "synonyms": [ - "Gothic Panda", - "TG-0110", - "APT 3", - "Group 6", - "UPS Team", - "APT3", - "Buckeye" - ], - "country": "CN", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", - "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" - ] - }, - "value": "UPS" - }, - { - "meta": { - "synonyms": [ - "DUBNIUM" - ], - "refs": [ - "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", - "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2" - ] - }, - "value": "darkhotel" - }, - { - "meta": { - "synonyms": [ - "Numbered Panda", - "TG-2754", - "BeeBus", - "Group 22", - "DynCalc", - "Crimson Iron", - "APT12", - "APT 12" - ], - "country": "CN", - "refs": [ - "http://www.crowdstrike.com/blog/whois-numbered-panda/" - ] - }, - "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", - "value": "IXESHE" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" - ] - }, - "value": "APT 16" - }, - { - "meta": { - "synonyms": [ - "APT 17", - "Deputy Dog", - "Group 8", - "APT17", - "Hidden Lynx", - "Tailgater Team" - ], - "country": "CN", - "refs": [ - "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" - ] - }, - "value": "Aurora Panda" - }, - { - "meta": { - "synonyms": [ - "Dynamite Panda", - "TG-0416", - "APT 18", - "SCANDIUM", - "APT18" - ], - "country": "CN", - "refs": [ - "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828" - ] - }, - "value": "Wekby" - }, - { - "meta": { - "synonyms": [ - "Operation Tropic Trooper" - ], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" - ] - }, - "value": "Tropic Trooper" - }, - { - "meta": { - "synonyms": [ - "Winnti Group", - "Tailgater Team", - "Group 72", - "Group72", - "Tailgater", - "Ragebeast", - "Blackfly" - ], - "country": "CN", - "refs": [ - "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", - "http://williamshowalter.com/a-universal-windows-bootkit/" - ] - }, - "value": "Axiom" - }, - { - "meta": { - "synonyms": [ - "Deep Panda", - "WebMasters", - "APT 19", - "KungFu Kittens", - "Black Vine", - "Group 13", - "PinkPanther", - "Sh3llCr3w" - ], - "country": "CN", - "refs": [ - "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "description": "Adversary group targeting financial, technology, non-profit organisations.", - "value": "Shell Crew" - }, - { - "meta": { - "synonyms": [ - "PLA Unit 78020", - "Override Panda", - "Camerashy", - "APT.Naikon" - ], - "country": "CN", - "refs": [ - "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html" - ] - }, - "value": "Naikon" - }, - { - "meta": { - "synonyms": [ - "Spring Dragon", - "ST Group" - ], - "country": "CN", - "refs": [ - "https://securelist.com/blog/research/70726/the-spring-dragon-apt/" - ] - }, - "value": "Lotus Blossom" - }, - { - "meta": { - "synonyms": [ - "Elise" - ], - "country": "CN" - }, - "value": "Lotus Panda" - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" - ] - }, - "value": "Hurricane Panda" - }, - { - "meta": { - "synonyms": [ - "TG-3390", - "APT 27", - "TEMP.Hippo", - "Group 35", - "HIPPOTeam", - "APT27", - "Operation Iron Tiger" - ], - "country": "CN", - "refs": [ - "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" - ] - }, - "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", - "value": "Emissary Panda" - }, - { - "meta": { - "synonyms": [ - "APT10", - "APT 10", - "menuPass", - "happyyongzi", - "POTASSIUM" - ], - "country": "CN" - }, - "value": "Stone Panda" - }, - { - "meta": { - "synonyms": [ - "APT 9", - "Flowerlady/Flowershow", - "Flowerlady", - "Flowershow" - ], - "country": "CN", - "refs": [ - "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/" - ] - }, - "value": "Nightshade Panda" - }, - { - "meta": { - "synonyms": [ - "Goblin Panda", - "Cycldek" - ], - "country": "CN", - "refs": [ - "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/" - ] - }, - "value": "Hellsing" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://kc.mcafee.com/corporate/index?page=content&id=KB71150" - ] - }, - "value": "Night Dragon" - }, - { - "meta": { - "synonyms": [ - "Vixen Panda", - "Ke3Chang", - "GREF", - "Playful Dragon", - "APT 15", - "Metushy", - "Social Network Team" - ], - "country": "CN", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html" - ] - }, - "value": "Mirage" - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "APT14", - "APT 14", - "QAZTeam", - "ALUMINUM" - ], - "refs": [ - "http://www.crowdstrike.com/blog/whois-anchor-panda/" - ], - "motive": "Espionage" - }, - "value": "Anchor Panda", - "description": "PLA Navy" - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "APT 21" - ], - "refs": [ - "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/" - ] - }, - "value": "NetTraveler" - }, - { - "meta": { - "synonyms": [ - "IceFog", - "Dagger Panda" - ], - "country": "CN", - "refs": [ - "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/" - ] - }, - "value": "Ice Fog", - "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well." - }, - { - "meta": { - "synonyms": [ - "PittyTiger", - "MANGANESE" - ], - "country": "CN" - }, - "value": "Pitty Panda", - "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials" - }, - { - "value": "Roaming Tiger", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" - ] - } - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf" - ] - }, - "value": "HiddenLynx" - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "Sneaky Panda" - ] - }, - "value": "Beijing Group" - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "Shrouded Crossbow" - ] - }, - "value": "Radio Panda" - }, - { - "value": "APT.3102", - "meta": { - "country": "CN", - "refs": [ - "http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/" - ] - } - }, - { - "meta": { - "synonyms": [ - "PLA Navy", - "APT4", - "APT 4", - "Getkys", - "SykipotGroup", - "Wkysol" - ], - "country": "CN", - "refs": [ - "http://www.crowdstrike.com/blog/whois-samurai-panda/" - ] - }, - "value": "Samurai Panda" - }, - { - "meta": { - "country": "CN" - }, - "value": "Impersonating Panda" - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "APT20", - "APT 20", - "TH3Bug" - ] - }, - "value": "Violin Panda" - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "description": "A group targeting dissident groups in China and at the boundaries.", - "value": "Toxic Panda" - }, - { - "meta": { - "synonyms": [ - "Admin338", - "Team338", - "MAGNESIUM", - "admin@338" - ], - "country": "CN", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", - "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" - ] - }, - "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.", - "value": "Temper Panda" - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "APT23", - "KeyBoy" - ] - }, - "value": "Pirate Panda" - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "SaffronRose", - "Saffron Rose", - "AjaxSecurityTeam", - "Ajax Security Team", - "Group 26" - ] - }, - "value": "Flying Kitten", - "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry." - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "ITSecTeam", - "Threat Group 2889", - "TG-2889", - "Ghambar" - ], - "refs": [ - "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" - ] - }, - "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.", - "value": "Cutting Kitten" - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "Newscaster", - "Parastoo", - "Group 83", - "Newsbeef" - ] - }, - "value": "Charming Kitten", - "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors." - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "Group 42" - ], - "refs": [ - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" - ] - }, - "description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.", - "value": "Magic Kitten" - }, - { - "meta": { - "synonyms": [ - "TEMP.Beanie", - "Operation Woolen Goldfish", - "Thamar Reservoir" - ], - "country": "IR", - "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", - "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", - "http://www.clearskysec.com/thamar-reservoir/", - "https://citizenlab.org/2015/08/iran_two_factor_phishing/", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" - ] - }, - "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", - "value": "Rocket Kitten" - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "Operation Cleaver", - "Tarh Andishan", - "Alibaba", - "2889", - "TG-2889" - ], - "refs": [ - "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - }, - "value": "Cleaver", - "description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies." - }, - { - "meta": { - "country": "IR" - }, - "value": "Sands Casino" - }, - { - "meta": { - "country": "TN", - "synonyms": [ - "FallagaTeam" - ], - "motive": "Hacktivism-Nationalist" - }, - "value": "Rebel Jackal", - "description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region." - }, - { - "meta": { - "country": "AE", - "synonyms": [ - "Vikingdom" - ] - }, - "value": "Viking Jackal" - }, - { - "meta": { - "synonyms": [ - "APT 28", - "APT28", - "Pawn Storm", - "Fancy Bear", - "Sednit", - "TsarTeam", - "TG-4127", - "Group-4127", - "STRONTIUM", - "TAG_0700" - ], - "country": "RU", - "refs": [ - "https://en.wikipedia.org/wiki/Sofacy_Group" - ] - }, - "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.", - "value": "Sofacy" - }, - { - "meta": { - "synonyms": [ - "Dukes", - "Group 100", - "Cozy Duke", - "CozyDuke", - "EuroAPT", - "CozyBear", - "CozyCar", - "Cozer", - "Office Monkeys", - "OfficeMonkeys", - "APT29", - "Cozy Bear", - "The Dukes", - "Minidionis", - "SeaDuke" - ], - "country": "RU", - "refs": [ - "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/" - ] - }, - "value": "APT 29" - }, - { - "meta": { - "synonyms": [ - "Turla", - "Snake", - "Venomous Bear", - "Group 88", - "Waterbug", - "WRAITH", - "Turla Team", - "Uroburos", - "Pfinet", - "TAG_0530", - "KRYPTON", - "Hippo Team" - ], - "refs": [ - "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", - "https://www.circl.lu/pub/tr-25/" - ], - "country": "RU" - }, - "value": "Turla Group" - }, - { - "meta": { - "synonyms": [ - "Dragonfly", - "Crouching Yeti", - "Group 24", - "Havex", - "CrouchingYeti", - "Koala Team" - ], - "country": "RU", - "refs": [ - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" - ] - }, - "description": "A Russian group that collects intelligence on the energy industry.", - "value": "Energetic Bear" - }, - { - "meta": { - "synonyms": [ - "Sandworm Team", - "Black Energy", - "BlackEnergy", - "Quedagh", - "Voodoo Bear" - ], - "country": "RU", - "refs": [ - "http://www.isightpartners.com/2014/10/cve-2014-4114/" - ] - }, - "value": "Sandworm" - }, - { - "meta": { - "country": "RU", - "refs": [ - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" - ] - }, - "value": "TeleBots", - "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group." - }, - { - "meta": { - "synonyms": [ - "Carbanak", - "Carbon Spider" - ], - "country": "RU", - "motive": "Cybercrime" - }, - "description": "Groups targeting financial organizations or people with significant financial assets.", - "value": "Anunak" - }, - { - "meta": { - "synonyms": [ - "TeamSpy", - "Team Bear", - "Berserk Bear" - ], - "country": "RU", - "refs": [ - "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/" - ] - }, - "value": "TeamSpy Crew" - }, - { - "meta": { - "country": "RU", - "refs": [ - "http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/" - ] - }, - "value": "BuhTrap" - }, - { - "meta": { - "country": "RU" - }, - "value": "Berserk Bear" - }, - { - "meta": { - "country": "RO", - "synonyms": [ - "FIN4" - ] - }, - "value": "Wolf Spider" - }, - { - "meta": { - "country": "RU" - }, - "value": "Boulder Bear", - "description": "First observed activity in December 2013." - }, - { - "meta": { - "country": "RU" - }, - "value": "Shark Spider", - "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets." - }, - { - "meta": { - "country": "RU", - "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "value": "Union Spider", - "description": "Adversary targeting manufacturing and industrial organizations." - }, - { - "meta": { - "country": "KP", - "synonyms": [ - "OperationTroy", - "Guardian of Peace", - "GOP", - "WHOis Team" - ], - "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "value": "Silent Chollima" - }, - { - "meta": { - "country": "KP", - "synonyms": [ - "Operation DarkSeoul" - ], - "refs": [ - "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/" - ] - }, - "value": "Lazarus Group" - }, - { - "meta": { - "synonyms": [ - "Appin", - "OperationHangover" - ], - "country": "IN" - }, - "value": "Viceroy Tiger" - }, - { - "meta": { - "synonyms": [ - "DD4BC", - "Ambiorx" - ], - "country": "US" - }, - "value": "Pizzo Spider" - }, - { - "meta": { - "synonyms": [ - "TunisianCyberArmy" - ], - "country": "TN" - }, - "value": "Corsair Jackal" - }, - { - "value": "SNOWGLOBE", - "meta": { - "country": "FR", - "synonyms": [ - "Animal Farm" - ] - }, - "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007." - }, - { - "meta": { - "synonyms": [ - "SyrianElectronicArmy", - "SEA" - ], - "country": "SY", - "refs": [ - "https://en.wikipedia.org/wiki/Syrian_Electronic_Army" - ] - }, - "description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear", - "value": "Deadeye Jackal" - }, - { - "meta": { - "country": "PK", - "synonyms": [ - "C-Major" - ], - "refs": [ - "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf" - ] - }, - "value": "Operation C-Major", - "description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro." - }, - { - "meta": { - "refs": [ - "https://citizenlab.org/2016/05/stealth-falcon/" - ], - "synonyms": [ - "FruityArmor" - ], - "country": "UAE" - }, - "value": "Stealth Falcon", - "description": "Group targeting Emirati journalists, activists, and dissidents." - }, - { - "meta": { - "synonyms": [ - "Operation Daybreak", - "Operation Erebus" - ], - "refs": [ - "https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/" - ] - }, - "value": "ScarCruft", - "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer." - }, - { - "meta": { - "refs": [ - "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" - ] - }, - "value": "Pacifier APT", - "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail." - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "Operation C-Major" - ], - "refs": [ - "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf" - ] - }, - "description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder", - "value": "HummingBad" - }, - { - "meta": { - "synonyms": [ - "Chinastrats", - "Patchwork", - "Monsoon", - "Sarit" - ], - "refs": [ - "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", - "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries" - ] - }, - "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", - "value": "Dropping Elephant" - }, - { - "meta": { - "refs": [ - "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" - ] - }, - "description": "Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.", - "value": "Operation Transparent Tribe" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://attack.mitre.org/wiki/Groups", - "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" - ] - }, - "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", - "value": "Scarlet Mimic" - }, - { - "meta": { - "refs": [ - "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/", - "https://attack.mitre.org/wiki/Groups" - ], - "country": "BR" - }, - "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.", - "value": "Poseidon Group" - }, - { - "meta": { - "synonyms": [ - "Moafee" - ], - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", - "https://attack.mitre.org/wiki/Groups" - ], - "country": "CN" - }, - "description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", - "value": "DragonOK" - }, - { - "meta": { - "synonyms": [ - "TG-3390", - "Emissary Panda" - ], - "refs": [ - "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", - "https://attack.mitre.org" - ], - "country": "CN" - }, - "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.", - "value": "Threat Group-3390" - }, - { - "meta": { - "synonyms": [ - "Strider", - "Sauron" - ], - "refs": [ - "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/" - ] - }, - "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.", - "value": "ProjectSauron" - }, - { - "meta": { - "refs": [ - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://attack.mitre.org/wiki/Group/G0013" - ], - "synonyms": [ - "APT 30" - ], - "country": "CN" - }, - "value": "APT30", - "description": "APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches." - }, - { - "meta": { - "country": "CN" - }, - "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns", - "value": "TA530" - }, - { - "meta": { - "refs": [ - "https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/" - ], - "country": "RU" - }, - "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.", - "value": "GCMAN" - }, - { - "meta": { - "refs": [ - "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" - ], - "country": "CN" - }, - "description": "Suckfly is a China-based threat group that has been active since at least 2014", - "value": "Suckfly" - }, - { - "meta": { - "refs": [ - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" - ] - }, - "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.", - "value": "FIN6" - }, - { - "meta": { - "country": "LBY" - }, - "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", - "value": "Libyan Scorpions" - }, - { - "meta": { - "refs": [ - "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users" - ], - "country": "TU" - }, - "value": "StrongPity" - }, - { - "meta": { - "synonyms": [ - "CorporacaoXRat", - "CorporationXRat" - ], - "refs": [ - "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" - ] - }, - "value": "TeamXRat" - }, - { - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" - ], - "country": "IR" - }, - "value": "OilRig", - "description": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015." - }, - { - "meta": { - "refs": [ - "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" - ] - }, - "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", - "value": "Volatile Cedar" - }, - { - "meta": { - "synonyms": [ - "Reuse team", - "Dancing Salome" - ] - }, - "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.", - "value": "Malware reusers" - }, - { - "value": "TERBIUM", - "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" - ] - } - }, - { - "value": "Molerats", - "description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html" - ], - "synonyms": [ - "Gaza Hackers Team", - "Operation Molerats", - "Extreme Jackal" - ] - } - }, - { - "value": "PROMETHIUM", - "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" - ] - } - }, - { - "value": "NEODYMIUM", - "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" - ] - } - }, - { - "value": "Packrat", - "description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.", - "meta": { - "refs": [ - "https://citizenlab.org/2015/12/packrat-report/" - ] - } - }, - { - "value": "Cadelle", - "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" - ], - "country": "IR" - } - }, - { - "value": "Chafer", - "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" - ], - "country": "IR" - } - }, - { - "value": "PassCV", - "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on. ", - "meta": { - "refs": [ - "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" - ], - "country": "CN" - } - }, - { - "value": "Sath-ı Müdafaa", - "description": "A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.", - "meta": { - "country": "TU", - "motive": "Hacktivists-Nationalists" - } - }, - { - "value": "Aslan Neferler Tim", - "description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam", - "meta": { - "country": "TU", - "synonyms": [ - "Lion Soldiers Team", - "Phantom Turk" - ], - "motive": "Hacktivists-Nationalists" - } - }, - { - "value": "Ayyıldız Tim", - "description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.", - "meta": { - "country": "TU", - "synonyms": [ - "Crescent and Star" - ], - "motive": "Hacktivists-Nationalists" - } - }, - { - "value": "TurkHackTeam", - "description": "Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ", - "meta": { - "country": "TU", - "synonyms": [ - "Turk Hack Team" - ], - "motive": "Hacktivists-Nationalists" - } - }, - { - "value": "Equation Group", - "description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame", - "meta": { - "country": "US", - "refs": [ - "https://en.wikipedia.org/wiki/Equation_Group" - ] - } - }, - { - "value": "Greenbug", - "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" - ] - } - }, - { - "value": "Gamaredon Group", - "description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution" - ] - } + "values": [{ + "meta": { + "synonyms": [ + "Comment Panda", + "PLA Unit 61398", + "APT 1", + "Advanced Persistent Threat 1", + "Byzantine Candor", + "Group 3", + "TG-8223", + "Comment Group" + ], + "country": "CN", + "refs": [ + "https://en.wikipedia.org/wiki/PLA_Unit_61398", + "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf" + ] + }, + "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", + "value": "Comment Crew" + }, { + "meta": { + "country": "CN" + }, + "value": "Stalker Panda" + }, { + "value": "Nitro", + "meta": { + "country": "CN", + "refs": [ + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf" + ], + "synonyms": [ + "Covert Grove" + ] } - ], + }, { + "value": "Codoso", + "meta": { + "country": "CN", + "refs": [ + "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + ], + "synonyms": [ + "C0d0so", + "Sunshop Group" + ] + } + }, { + "meta": { + "refs": [ + "https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf" + ] + }, + "value": "Dust Storm" + }, { + "value": "Karma Panda", + "description": "Adversary targeting dissident groups in China and its surroundings.", + "meta": { + "country": "CN", + "refs": [ + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + } + }, { + "meta": { + "country": "CN" + }, + "value": "Keyhole Panda" + }, { + "meta": { + "country": "CN" + }, + "value": "Wet Panda" + }, { + "meta": { + "country": "CN" + }, + "value": "Foxy Panda", + "description": "Adversary group targeting telecommunication and technology organizations." + }, { + "meta": { + "country": "CN" + }, + "value": "Predator Panda" + }, { + "meta": { + "country": "CN" + }, + "value": "Union Panda" + }, { + "meta": { + "country": "CN" + }, + "value": "Spicy Panda" + }, { + "meta": { + "country": "CN" + }, + "value": "Eloquent Panda" + }, { + "meta": { + "synonyms": [ + "LadyBoyle" + ] + }, + "value": "Dizzy Panda" + }, { + "meta": { + "synonyms": [ + "PLA Unit 61486", + "APT 2", + "Group 36", + "APT-2", + "MSUpdater", + "4HCrew", + "SULPHUR", + "TG-6952" + ], + "country": "CN", + "refs": [ + "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" + ] + }, + "description": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486. ", + "value": "Putter Panda" + }, { + "meta": { + "synonyms": [ + "Gothic Panda", + "TG-0110", + "APT 3", + "Group 6", + "UPS Team", + "APT3", + "Buckeye" + ], + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + ] + }, + "value": "UPS" + }, { + "meta": { + "synonyms": [ + "DUBNIUM" + ], + "refs": [ + "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", + "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2" + ] + }, + "value": "DarkHotel" + }, { + "meta": { + "synonyms": [ + "Numbered Panda", + "TG-2754", + "BeeBus", + "Group 22", + "DynCalc", + "Crimson Iron", + "APT12", + "APT 12" + ], + "country": "CN", + "refs": [ + "http://www.crowdstrike.com/blog/whois-numbered-panda/" + ] + }, + "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", + "value": "IXESHE" + }, { + "meta": { + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" + ] + }, + "value": "APT 16" + }, { + "meta": { + "synonyms": [ + "APT 17", + "Deputy Dog", + "Group 8", + "APT17", + "Hidden Lynx", + "Tailgater Team" + ], + "country": "CN", + "refs": [ + "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" + ] + }, + "value": "Aurora Panda" + }, { + "meta": { + "synonyms": [ + "Dynamite Panda", + "TG-0416", + "APT 18", + "SCANDIUM", + "APT18" + ], + "country": "CN", + "refs": [ + "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828" + ] + }, + "value": "Wekby" + }, { + "meta": { + "synonyms": [ + "Operation Tropic Trooper" + ], + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" + ] + }, + "value": "Tropic Trooper" + }, { + "meta": { + "synonyms": [ + "Winnti Group", + "Tailgater Team", + "Group 72", + "Group72", + "Tailgater", + "Ragebeast", + "Blackfly" + ], + "country": "CN", + "refs": [ + "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", + "http://williamshowalter.com/a-universal-windows-bootkit/" + ] + }, + "value": "Axiom" + }, { + "meta": { + "synonyms": [ + "Deep Panda", + "WebMasters", + "APT 19", + "KungFu Kittens", + "Black Vine", + "Group 13", + "PinkPanther", + "Sh3llCr3w" + ], + "country": "CN", + "refs": [ + "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "description": "Adversary group targeting financial, technology, non-profit organisations.", + "value": "Shell Crew" + }, { + "meta": { + "synonyms": [ + "PLA Unit 78020", + "Override Panda", + "Camerashy", + "APT.Naikon" + ], + "country": "CN", + "refs": [ + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html" + ] + }, + "value": "Naikon" + }, { + "meta": { + "synonyms": [ + "Spring Dragon", + "ST Group" + ], + "country": "CN", + "refs": [ + "https://securelist.com/blog/research/70726/the-spring-dragon-apt/" + ] + }, + "value": "Lotus Blossom" + }, { + "meta": { + "synonyms": [ + "Elise" + ], + "country": "CN" + }, + "value": "Lotus Panda" + }, { + "meta": { + "country": "CN", + "refs": [ + "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" + ] + }, + "value": "Hurricane Panda" + }, { + "meta": { + "synonyms": [ + "TG-3390", + "APT 27", + "TEMP.Hippo", + "Group 35", + "HIPPOTeam", + "APT27", + "Operation Iron Tiger" + ], + "country": "CN", + "refs": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" + ] + }, + "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", + "value": "Emissary Panda" + }, { + "meta": { + "synonyms": [ + "APT10", + "APT 10", + "menuPass", + "happyyongzi", + "POTASSIUM" + ], + "country": "CN" + }, + "value": "Stone Panda" + }, { + "meta": { + "synonyms": [ + "APT 9", + "Flowerlady/Flowershow", + "Flowerlady", + "Flowershow" + ], + "country": "CN", + "refs": [ + "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/" + ] + }, + "value": "Nightshade Panda" + }, { + "meta": { + "synonyms": [ + "Goblin Panda", + "Cycldek" + ], + "country": "CN", + "refs": [ + "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/" + ] + }, + "value": "Hellsing" + }, { + "meta": { + "country": "CN", + "refs": [ + "https://kc.mcafee.com/corporate/index?page=content&id=KB71150" + ] + }, + "value": "Night Dragon" + }, { + "meta": { + "synonyms": [ + "Vixen Panda", + "Ke3Chang", + "GREF", + "Playful Dragon", + "APT 15", + "Metushy", + "Social Network Team" + ], + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html" + ] + }, + "value": "Mirage" + }, { + "meta": { + "country": "CN", + "synonyms": [ + "APT14", + "APT 14", + "QAZTeam", + "ALUMINUM" + ], + "refs": [ + "http://www.crowdstrike.com/blog/whois-anchor-panda/" + ], + "motive": "Espionage" + }, + "value": "Anchor Panda", + "description": "PLA Navy" + }, { + "meta": { + "country": "CN", + "synonyms": [ + "APT 21" + ], + "refs": [ + "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/" + ] + }, + "value": "NetTraveler" + }, { + "meta": { + "synonyms": [ + "IceFog", + "Dagger Panda" + ], + "country": "CN", + "refs": [ + "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/" + ] + }, + "value": "Ice Fog", + "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well." + }, { + "meta": { + "synonyms": [ + "PittyTiger", + "MANGANESE" + ], + "country": "CN", + "refs": [ + "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2" + ] + }, + "value": "Pitty Panda", + "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials" + }, { + "value": "Roaming Tiger", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" + ] + } + }, { + "meta": { + "country": "CN", + "refs": [ + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf" + ] + }, + "value": "HiddenLynx" + }, { + "meta": { + "country": "CN", + "synonyms": [ + "Sneaky Panda" + ] + }, + "value": "Beijing Group" + }, { + "meta": { + "country": "CN", + "synonyms": [ + "Shrouded Crossbow" + ] + }, + "value": "Radio Panda" + }, { + "value": "APT.3102", + "meta": { + "country": "CN", + "refs": [ + "http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/" + ] + } + }, { + "meta": { + "synonyms": [ + "PLA Navy", + "APT4", + "APT 4", + "Getkys", + "SykipotGroup", + "Wkysol" + ], + "country": "CN", + "refs": [ + "http://www.crowdstrike.com/blog/whois-samurai-panda/" + ] + }, + "value": "Samurai Panda" + }, { + "meta": { + "country": "CN" + }, + "value": "Impersonating Panda" + }, { + "meta": { + "country": "CN", + "refs": [ + "http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/" + ], + "synonyms": [ + "APT20", + "APT 20", + "TH3Bug" + ] + }, + "value": "Violin Panda" + }, { + "meta": { + "country": "CN", + "refs": [ + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "description": "A group targeting dissident groups in China and at the boundaries.", + "value": "Toxic Panda" + }, { + "meta": { + "synonyms": [ + "Admin338", + "Team338", + "MAGNESIUM", + "admin@338" + ], + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" + ] + }, + "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.", + "value": "Temper Panda" + }, { + "meta": { + "country": "CN", + "refs": [ + "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india" + ], + "synonyms": [ + "APT23", + "KeyBoy" + ] + }, + "value": "Pirate Panda" + }, { + "meta": { + "country": "IR", + "synonyms": [ + "SaffronRose", + "Saffron Rose", + "AjaxSecurityTeam", + "Ajax Security Team", + "Group 26" + ], + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf" + ] + }, + "value": "Flying Kitten", + "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry." + }, { + "meta": { + "country": "IR", + "synonyms": [ + "ITSecTeam", + "Threat Group 2889", + "TG-2889", + "Ghambar" + ], + "refs": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" + ] + }, + "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.", + "value": "Cutting Kitten" + }, { + "meta": { + "country": "IR", + "synonyms": [ + "Newscaster", + "Parastoo", + "Group 83", + "Newsbeef" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Operation_Newscaster" + ] + }, + "value": "Charming Kitten", + "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors." + }, { + "meta": { + "country": "IR", + "synonyms": [ + "Group 42" + ], + "refs": [ + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" + ] + }, + "description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.", + "value": "Magic Kitten" + }, { + "meta": { + "synonyms": [ + "TEMP.Beanie", + "Operation Woolen Goldfish", + "Thamar Reservoir" + ], + "country": "IR", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", + "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", + "http://www.clearskysec.com/thamar-reservoir/", + "https://citizenlab.org/2015/08/iran_two_factor_phishing/", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" + ] + }, + "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", + "value": "Rocket Kitten" + }, { + "meta": { + "country": "IR", + "synonyms": [ + "Operation Cleaver", + "Tarh Andishan", + "Alibaba", + "2889", + "TG-2889" + ], + "refs": [ + "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "value": "Cleaver", + "description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies." + }, { + "meta": { + "country": "IR" + }, + "value": "Sands Casino" + }, { + "meta": { + "country": "TN", + "synonyms": [ + "FallagaTeam" + ], + "motive": "Hacktivism-Nationalist" + }, + "value": "Rebel Jackal", + "description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region." + }, { + "meta": { + "country": "AE", + "synonyms": [ + "Vikingdom" + ] + }, + "value": "Viking Jackal" + }, { + "meta": { + "synonyms": [ + "APT 28", + "APT28", + "Pawn Storm", + "Fancy Bear", + "Sednit", + "TsarTeam", + "TG-4127", + "Group-4127", + "STRONTIUM", + "TAG_0700" + ], + "country": "RU", + "refs": [ + "https://en.wikipedia.org/wiki/Sofacy_Group" + ] + }, + "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.", + "value": "Sofacy" + }, { + "meta": { + "synonyms": [ + "Dukes", + "Group 100", + "Cozy Duke", + "CozyDuke", + "EuroAPT", + "CozyBear", + "CozyCar", + "Cozer", + "Office Monkeys", + "OfficeMonkeys", + "APT29", + "Cozy Bear", + "The Dukes", + "Minidionis", + "SeaDuke" + ], + "country": "RU", + "refs": [ + "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/" + ] + }, + "value": "APT 29" + }, { + "meta": { + "synonyms": [ + "Turla", + "Snake", + "Venomous Bear", + "Group 88", + "Waterbug", + "WRAITH", + "Turla Team", + "Uroburos", + "Pfinet", + "TAG_0530", + "KRYPTON", + "Hippo Team" + ], + "refs": [ + "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", + "https://www.circl.lu/pub/tr-25/" + ], + "country": "RU" + }, + "value": "Turla Group" + }, { + "meta": { + "synonyms": [ + "Dragonfly", + "Crouching Yeti", + "Group 24", + "Havex", + "CrouchingYeti", + "Koala Team" + ], + "country": "RU", + "refs": [ + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" + ] + }, + "description": "A Russian group that collects intelligence on the energy industry.", + "value": "Energetic Bear" + }, { + "meta": { + "synonyms": [ + "Sandworm Team", + "Black Energy", + "BlackEnergy", + "Quedagh", + "Voodoo Bear" + ], + "country": "RU", + "refs": [ + "http://www.isightpartners.com/2014/10/cve-2014-4114/" + ] + }, + "value": "Sandworm" + }, { + "meta": { + "country": "RU", + "refs": [ + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" + ] + }, + "value": "TeleBots", + "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group." + }, { + "meta": { + "synonyms": [ + "Carbanak", + "Carbon Spider" + ], + "country": "RU", + "refs": [ + "https://en.wikipedia.org/wiki/Carbanak" + ], + "motive": "Cybercrime" + }, + "description": "Groups targeting financial organizations or people with significant financial assets.", + "value": "Anunak" + }, { + "meta": { + "synonyms": [ + "TeamSpy", + "Team Bear", + "Berserk Bear" + ], + "country": "RU", + "refs": [ + "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/" + ] + }, + "value": "TeamSpy Crew" + }, { + "meta": { + "country": "RU", + "refs": [ + "http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/" + ] + }, + "value": "BuhTrap" + }, { + "meta": { + "country": "RU" + }, + "value": "Berserk Bear" + }, { + "meta": { + "country": "RO", + "synonyms": [ + "FIN4" + ] + }, + "value": "Wolf Spider" + }, { + "meta": { + "country": "RU" + }, + "value": "Boulder Bear", + "description": "First observed activity in December 2013." + }, { + "meta": { + "country": "RU" + }, + "value": "Shark Spider", + "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets." + }, { + "meta": { + "country": "RU", + "refs": [ + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Union Spider", + "description": "Adversary targeting manufacturing and industrial organizations." + }, { + "meta": { + "country": "KP", + "synonyms": [ + "OperationTroy", + "Guardian of Peace", + "GOP", + "WHOis Team" + ], + "refs": [ + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Silent Chollima" + }, { + "meta": { + "country": "KP", + "synonyms": [ + "Operation DarkSeoul" + ], + "refs": [ + "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/" + ] + }, + "value": "Lazarus Group" + }, { + "meta": { + "synonyms": [ + "Appin", + "OperationHangover" + ], + "country": "IN", + "refs": [ + "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" + ] + }, + "value": "Viceroy Tiger" + }, { + "meta": { + "synonyms": [ + "DD4BC", + "Ambiorx" + ], + "country": "US" + }, + "value": "Pizzo Spider" + }, { + "meta": { + "synonyms": [ + "TunisianCyberArmy" + ], + "country": "TN" + }, + "value": "Corsair Jackal" + }, { + "value": "SNOWGLOBE", + "meta": { + "country": "FR", + "refs": [ + "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/" + ], + "synonyms": [ + "Animal Farm" + ] + }, + "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007." + }, { + "meta": { + "synonyms": [ + "SyrianElectronicArmy", + "SEA" + ], + "country": "SY", + "refs": [ + "https://en.wikipedia.org/wiki/Syrian_Electronic_Army" + ] + }, + "description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear", + "value": "Deadeye Jackal" + }, { + "meta": { + "country": "PK", + "synonyms": [ + "C-Major" + ], + "refs": [ + "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf" + ] + }, + "value": "Operation C-Major", + "description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro." + }, { + "meta": { + "refs": [ + "https://citizenlab.org/2016/05/stealth-falcon/" + ], + "synonyms": [ + "FruityArmor" + ], + "country": "UAE" + }, + "value": "Stealth Falcon", + "description": "Group targeting Emirati journalists, activists, and dissidents." + }, { + "meta": { + "synonyms": [ + "Operation Daybreak", + "Operation Erebus" + ], + "refs": [ + "https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/" + ] + }, + "value": "ScarCruft", + "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer." + }, { + "meta": { + "refs": [ + "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" + ] + }, + "value": "Pacifier APT", + "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail." + }, { + "meta": { + "country": "CN", + "synonyms": [ + "Operation C-Major" + ], + "refs": [ + "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf" + ] + }, + "description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder", + "value": "HummingBad" + }, { + "meta": { + "synonyms": [ + "Chinastrats", + "Patchwork", + "Monsoon", + "Sarit" + ], + "refs": [ + "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", + "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries" + ] + }, + "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", + "value": "Dropping Elephant" + }, { + "meta": { + "refs": [ + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ] + }, + "description": "Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.", + "value": "Operation Transparent Tribe" + }, { + "meta": { + "country": "CN", + "refs": [ + "https://attack.mitre.org/wiki/Groups", + "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" + ] + }, + "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", + "value": "Scarlet Mimic" + }, { + "meta": { + "refs": [ + "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/", + "https://attack.mitre.org/wiki/Groups" + ], + "country": "BR" + }, + "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.", + "value": "Poseidon Group" + }, { + "meta": { + "synonyms": [ + "Moafee" + ], + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", + "https://attack.mitre.org/wiki/Groups" + ], + "country": "CN" + }, + "description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", + "value": "DragonOK" + }, { + "meta": { + "synonyms": [ + "TG-3390", + "Emissary Panda" + ], + "refs": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", + "https://attack.mitre.org" + ], + "country": "CN" + }, + "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.", + "value": "Threat Group-3390" + }, { + "meta": { + "synonyms": [ + "Strider", + "Sauron" + ], + "refs": [ + "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/" + ] + }, + "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.", + "value": "ProjectSauron" + }, { + "meta": { + "refs": [ + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://attack.mitre.org/wiki/Group/G0013" + ], + "synonyms": [ + "APT30" + ], + "country": "CN" + }, + "value": "APT 30", + "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches." + }, { + "meta": { + "country": "CN" + }, + "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns", + "value": "TA530" + }, { + "meta": { + "refs": [ + "https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/" + ], + "country": "RU" + }, + "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.", + "value": "GCMAN" + }, { + "meta": { + "refs": [ + "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" + ], + "country": "CN" + }, + "description": "Suckfly is a China-based threat group that has been active since at least 2014", + "value": "Suckfly" + }, { + "meta": { + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" + ] + }, + "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.", + "value": "FIN6" + }, { + "meta": { + "country": "LBY" + }, + "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", + "value": "Libyan Scorpions" + }, { + "meta": { + "refs": [ + "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users" + ], + "country": "TU" + }, + "value": "StrongPity" + }, { + "meta": { + "synonyms": [ + "CorporacaoXRat", + "CorporationXRat" + ], + "refs": [ + "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" + ] + }, + "value": "TeamXRat" + }, { + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + ], + "country": "IR" + }, + "value": "OilRig", + "description": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015." + }, { + "meta": { + "refs": [ + "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" + ] + }, + "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", + "value": "Volatile Cedar" + }, { + "meta": { + "synonyms": [ + "Reuse team", + "Dancing Salome" + ] + }, + "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.", + "value": "Malware reusers" + }, { + "value": "TERBIUM", + "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" + ] + } + }, { + "value": "Molerats", + "description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html" + ], + "synonyms": [ + "Gaza Hackers Team", + "Operation Molerats", + "Extreme Jackal" + ] + } + }, { + "value": "PROMETHIUM", + "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + ] + } + }, { + "value": "NEODYMIUM", + "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + ] + } + }, { + "value": "Packrat", + "description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.", + "meta": { + "refs": [ + "https://citizenlab.org/2015/12/packrat-report/" + ] + } + }, { + "value": "Cadelle", + "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + ], + "country": "IR" + } + }, { + "value": "Chafer", + "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + ], + "country": "IR" + } + }, { + "value": "PassCV", + "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on. ", + "meta": { + "refs": [ + "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" + ], + "country": "CN" + } + }, { + "value": "Sath-ı Müdafaa", + "description": "A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.", + "meta": { + "country": "TU", + "motive": "Hacktivists-Nationalists" + } + }, { + "value": "Aslan Neferler Tim", + "description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam", + "meta": { + "country": "TU", + "synonyms": [ + "Lion Soldiers Team", + "Phantom Turk" + ], + "motive": "Hacktivists-Nationalists" + } + }, { + "value": "Ayyıldız Tim", + "description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.", + "meta": { + "country": "TU", + "synonyms": [ + "Crescent and Star" + ], + "motive": "Hacktivists-Nationalists" + } + }, { + "value": "TurkHackTeam", + "description": "Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ", + "meta": { + "country": "TU", + "synonyms": [ + "Turk Hack Team" + ], + "motive": "Hacktivists-Nationalists" + } + }, { + "value": "Equation Group", + "description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame", + "meta": { + "country": "US", + "refs": [ + "https://en.wikipedia.org/wiki/Equation_Group" + ] + } + }, { + "value": "Greenbug", + "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" + ] + } + }, { + "value": "Gamaredon Group", + "description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution" + ] + } + }], "name": "Threat actor", "type": "threat-actor", "source": "MISP Project", @@ -1398,5 +1304,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 16 -} + "version": 17 +} \ No newline at end of file From 9e5c983a65973b8c33e49cb298d4cc855bf24d48 Mon Sep 17 00:00:00 2001 From: Chris Doman Date: Wed, 1 Mar 2017 13:24:00 +0000 Subject: [PATCH 86/91] Ran jq --- clusters/threat-actor.json | 2698 +++++++++++++++++++----------------- 1 file changed, 1408 insertions(+), 1290 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index cc1cf9ad..2fd6f6f5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1,1297 +1,1415 @@ { - "values": [{ - "meta": { - "synonyms": [ - "Comment Panda", - "PLA Unit 61398", - "APT 1", - "Advanced Persistent Threat 1", - "Byzantine Candor", - "Group 3", - "TG-8223", - "Comment Group" - ], - "country": "CN", - "refs": [ - "https://en.wikipedia.org/wiki/PLA_Unit_61398", - "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf" - ] + "values": [ + { + "meta": { + "synonyms": [ + "Comment Panda", + "PLA Unit 61398", + "APT 1", + "Advanced Persistent Threat 1", + "Byzantine Candor", + "Group 3", + "TG-8223", + "Comment Group" + ], + "country": "CN", + "refs": [ + "https://en.wikipedia.org/wiki/PLA_Unit_61398", + "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf" + ] + }, + "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", + "value": "Comment Crew" }, - "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", - "value": "Comment Crew" - }, { - "meta": { - "country": "CN" + { + "meta": { + "country": "CN" + }, + "value": "Stalker Panda" }, - "value": "Stalker Panda" - }, { - "value": "Nitro", - "meta": { - "country": "CN", - "refs": [ - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf" - ], - "synonyms": [ - "Covert Grove" - ] + { + "value": "Nitro", + "meta": { + "country": "CN", + "refs": [ + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf" + ], + "synonyms": [ + "Covert Grove" + ] + } + }, + { + "value": "Codoso", + "meta": { + "country": "CN", + "refs": [ + "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + ], + "synonyms": [ + "C0d0so", + "Sunshop Group" + ] + } + }, + { + "meta": { + "refs": [ + "https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf" + ] + }, + "value": "Dust Storm" + }, + { + "value": "Karma Panda", + "description": "Adversary targeting dissident groups in China and its surroundings.", + "meta": { + "country": "CN", + "refs": [ + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + } + }, + { + "meta": { + "country": "CN" + }, + "value": "Keyhole Panda" + }, + { + "meta": { + "country": "CN" + }, + "value": "Wet Panda" + }, + { + "meta": { + "country": "CN" + }, + "value": "Foxy Panda", + "description": "Adversary group targeting telecommunication and technology organizations." + }, + { + "meta": { + "country": "CN" + }, + "value": "Predator Panda" + }, + { + "meta": { + "country": "CN" + }, + "value": "Union Panda" + }, + { + "meta": { + "country": "CN" + }, + "value": "Spicy Panda" + }, + { + "meta": { + "country": "CN" + }, + "value": "Eloquent Panda" + }, + { + "meta": { + "synonyms": [ + "LadyBoyle" + ] + }, + "value": "Dizzy Panda" + }, + { + "meta": { + "synonyms": [ + "PLA Unit 61486", + "APT 2", + "Group 36", + "APT-2", + "MSUpdater", + "4HCrew", + "SULPHUR", + "TG-6952" + ], + "country": "CN", + "refs": [ + "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" + ] + }, + "description": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486. ", + "value": "Putter Panda" + }, + { + "meta": { + "synonyms": [ + "Gothic Panda", + "TG-0110", + "APT 3", + "Group 6", + "UPS Team", + "APT3", + "Buckeye" + ], + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + ] + }, + "value": "UPS" + }, + { + "meta": { + "synonyms": [ + "DUBNIUM" + ], + "refs": [ + "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", + "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2" + ] + }, + "value": "DarkHotel" + }, + { + "meta": { + "synonyms": [ + "Numbered Panda", + "TG-2754", + "BeeBus", + "Group 22", + "DynCalc", + "Crimson Iron", + "APT12", + "APT 12" + ], + "country": "CN", + "refs": [ + "http://www.crowdstrike.com/blog/whois-numbered-panda/" + ] + }, + "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", + "value": "IXESHE" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" + ] + }, + "value": "APT 16" + }, + { + "meta": { + "synonyms": [ + "APT 17", + "Deputy Dog", + "Group 8", + "APT17", + "Hidden Lynx", + "Tailgater Team" + ], + "country": "CN", + "refs": [ + "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" + ] + }, + "value": "Aurora Panda" + }, + { + "meta": { + "synonyms": [ + "Dynamite Panda", + "TG-0416", + "APT 18", + "SCANDIUM", + "APT18" + ], + "country": "CN", + "refs": [ + "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828" + ] + }, + "value": "Wekby" + }, + { + "meta": { + "synonyms": [ + "Operation Tropic Trooper" + ], + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" + ] + }, + "value": "Tropic Trooper" + }, + { + "meta": { + "synonyms": [ + "Winnti Group", + "Tailgater Team", + "Group 72", + "Group72", + "Tailgater", + "Ragebeast", + "Blackfly" + ], + "country": "CN", + "refs": [ + "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", + "http://williamshowalter.com/a-universal-windows-bootkit/" + ] + }, + "value": "Axiom" + }, + { + "meta": { + "synonyms": [ + "Deep Panda", + "WebMasters", + "APT 19", + "KungFu Kittens", + "Black Vine", + "Group 13", + "PinkPanther", + "Sh3llCr3w" + ], + "country": "CN", + "refs": [ + "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "description": "Adversary group targeting financial, technology, non-profit organisations.", + "value": "Shell Crew" + }, + { + "meta": { + "synonyms": [ + "PLA Unit 78020", + "Override Panda", + "Camerashy", + "APT.Naikon" + ], + "country": "CN", + "refs": [ + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html" + ] + }, + "value": "Naikon" + }, + { + "meta": { + "synonyms": [ + "Spring Dragon", + "ST Group" + ], + "country": "CN", + "refs": [ + "https://securelist.com/blog/research/70726/the-spring-dragon-apt/" + ] + }, + "value": "Lotus Blossom" + }, + { + "meta": { + "synonyms": [ + "Elise" + ], + "country": "CN" + }, + "value": "Lotus Panda" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" + ] + }, + "value": "Hurricane Panda" + }, + { + "meta": { + "synonyms": [ + "TG-3390", + "APT 27", + "TEMP.Hippo", + "Group 35", + "HIPPOTeam", + "APT27", + "Operation Iron Tiger" + ], + "country": "CN", + "refs": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" + ] + }, + "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", + "value": "Emissary Panda" + }, + { + "meta": { + "synonyms": [ + "APT10", + "APT 10", + "menuPass", + "happyyongzi", + "POTASSIUM" + ], + "country": "CN" + }, + "value": "Stone Panda" + }, + { + "meta": { + "synonyms": [ + "APT 9", + "Flowerlady/Flowershow", + "Flowerlady", + "Flowershow" + ], + "country": "CN", + "refs": [ + "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/" + ] + }, + "value": "Nightshade Panda" + }, + { + "meta": { + "synonyms": [ + "Goblin Panda", + "Cycldek" + ], + "country": "CN", + "refs": [ + "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/" + ] + }, + "value": "Hellsing" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://kc.mcafee.com/corporate/index?page=content&id=KB71150" + ] + }, + "value": "Night Dragon" + }, + { + "meta": { + "synonyms": [ + "Vixen Panda", + "Ke3Chang", + "GREF", + "Playful Dragon", + "APT 15", + "Metushy", + "Social Network Team" + ], + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html" + ] + }, + "value": "Mirage" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "APT14", + "APT 14", + "QAZTeam", + "ALUMINUM" + ], + "refs": [ + "http://www.crowdstrike.com/blog/whois-anchor-panda/" + ], + "motive": "Espionage" + }, + "value": "Anchor Panda", + "description": "PLA Navy" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "APT 21" + ], + "refs": [ + "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/" + ] + }, + "value": "NetTraveler" + }, + { + "meta": { + "synonyms": [ + "IceFog", + "Dagger Panda" + ], + "country": "CN", + "refs": [ + "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/" + ] + }, + "value": "Ice Fog", + "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well." + }, + { + "meta": { + "synonyms": [ + "PittyTiger", + "MANGANESE" + ], + "country": "CN", + "refs": [ + "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2" + ] + }, + "value": "Pitty Panda", + "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials" + }, + { + "value": "Roaming Tiger", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" + ] + } + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf" + ] + }, + "value": "HiddenLynx" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "Sneaky Panda" + ] + }, + "value": "Beijing Group" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "Shrouded Crossbow" + ] + }, + "value": "Radio Panda" + }, + { + "value": "APT.3102", + "meta": { + "country": "CN", + "refs": [ + "http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/" + ] + } + }, + { + "meta": { + "synonyms": [ + "PLA Navy", + "APT4", + "APT 4", + "Getkys", + "SykipotGroup", + "Wkysol" + ], + "country": "CN", + "refs": [ + "http://www.crowdstrike.com/blog/whois-samurai-panda/" + ] + }, + "value": "Samurai Panda" + }, + { + "meta": { + "country": "CN" + }, + "value": "Impersonating Panda" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/" + ], + "synonyms": [ + "APT20", + "APT 20", + "TH3Bug" + ] + }, + "value": "Violin Panda" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "description": "A group targeting dissident groups in China and at the boundaries.", + "value": "Toxic Panda" + }, + { + "meta": { + "synonyms": [ + "Admin338", + "Team338", + "MAGNESIUM", + "admin@338" + ], + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" + ] + }, + "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.", + "value": "Temper Panda" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india" + ], + "synonyms": [ + "APT23", + "KeyBoy" + ] + }, + "value": "Pirate Panda" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "SaffronRose", + "Saffron Rose", + "AjaxSecurityTeam", + "Ajax Security Team", + "Group 26" + ], + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf" + ] + }, + "value": "Flying Kitten", + "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry." + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "ITSecTeam", + "Threat Group 2889", + "TG-2889", + "Ghambar" + ], + "refs": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" + ] + }, + "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.", + "value": "Cutting Kitten" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Newscaster", + "Parastoo", + "Group 83", + "Newsbeef" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Operation_Newscaster" + ] + }, + "value": "Charming Kitten", + "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors." + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Group 42" + ], + "refs": [ + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" + ] + }, + "description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.", + "value": "Magic Kitten" + }, + { + "meta": { + "synonyms": [ + "TEMP.Beanie", + "Operation Woolen Goldfish", + "Thamar Reservoir" + ], + "country": "IR", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", + "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", + "http://www.clearskysec.com/thamar-reservoir/", + "https://citizenlab.org/2015/08/iran_two_factor_phishing/", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" + ] + }, + "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", + "value": "Rocket Kitten" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Operation Cleaver", + "Tarh Andishan", + "Alibaba", + "2889", + "TG-2889" + ], + "refs": [ + "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "value": "Cleaver", + "description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies." + }, + { + "meta": { + "country": "IR" + }, + "value": "Sands Casino" + }, + { + "meta": { + "country": "TN", + "synonyms": [ + "FallagaTeam" + ], + "motive": "Hacktivism-Nationalist" + }, + "value": "Rebel Jackal", + "description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region." + }, + { + "meta": { + "country": "AE", + "synonyms": [ + "Vikingdom" + ] + }, + "value": "Viking Jackal" + }, + { + "meta": { + "synonyms": [ + "APT 28", + "APT28", + "Pawn Storm", + "Fancy Bear", + "Sednit", + "TsarTeam", + "TG-4127", + "Group-4127", + "STRONTIUM", + "TAG_0700" + ], + "country": "RU", + "refs": [ + "https://en.wikipedia.org/wiki/Sofacy_Group" + ] + }, + "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.", + "value": "Sofacy" + }, + { + "meta": { + "synonyms": [ + "Dukes", + "Group 100", + "Cozy Duke", + "CozyDuke", + "EuroAPT", + "CozyBear", + "CozyCar", + "Cozer", + "Office Monkeys", + "OfficeMonkeys", + "APT29", + "Cozy Bear", + "The Dukes", + "Minidionis", + "SeaDuke" + ], + "country": "RU", + "refs": [ + "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/" + ] + }, + "value": "APT 29" + }, + { + "meta": { + "synonyms": [ + "Turla", + "Snake", + "Venomous Bear", + "Group 88", + "Waterbug", + "WRAITH", + "Turla Team", + "Uroburos", + "Pfinet", + "TAG_0530", + "KRYPTON", + "Hippo Team" + ], + "refs": [ + "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", + "https://www.circl.lu/pub/tr-25/" + ], + "country": "RU" + }, + "value": "Turla Group" + }, + { + "meta": { + "synonyms": [ + "Dragonfly", + "Crouching Yeti", + "Group 24", + "Havex", + "CrouchingYeti", + "Koala Team" + ], + "country": "RU", + "refs": [ + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" + ] + }, + "description": "A Russian group that collects intelligence on the energy industry.", + "value": "Energetic Bear" + }, + { + "meta": { + "synonyms": [ + "Sandworm Team", + "Black Energy", + "BlackEnergy", + "Quedagh", + "Voodoo Bear" + ], + "country": "RU", + "refs": [ + "http://www.isightpartners.com/2014/10/cve-2014-4114/" + ] + }, + "value": "Sandworm" + }, + { + "meta": { + "country": "RU", + "refs": [ + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" + ] + }, + "value": "TeleBots", + "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group." + }, + { + "meta": { + "synonyms": [ + "Carbanak", + "Carbon Spider" + ], + "country": "RU", + "refs": [ + "https://en.wikipedia.org/wiki/Carbanak" + ], + "motive": "Cybercrime" + }, + "description": "Groups targeting financial organizations or people with significant financial assets.", + "value": "Anunak" + }, + { + "meta": { + "synonyms": [ + "TeamSpy", + "Team Bear", + "Berserk Bear" + ], + "country": "RU", + "refs": [ + "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/" + ] + }, + "value": "TeamSpy Crew" + }, + { + "meta": { + "country": "RU", + "refs": [ + "http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/" + ] + }, + "value": "BuhTrap" + }, + { + "meta": { + "country": "RU" + }, + "value": "Berserk Bear" + }, + { + "meta": { + "country": "RO", + "synonyms": [ + "FIN4" + ] + }, + "value": "Wolf Spider" + }, + { + "meta": { + "country": "RU" + }, + "value": "Boulder Bear", + "description": "First observed activity in December 2013." + }, + { + "meta": { + "country": "RU" + }, + "value": "Shark Spider", + "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets." + }, + { + "meta": { + "country": "RU", + "refs": [ + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Union Spider", + "description": "Adversary targeting manufacturing and industrial organizations." + }, + { + "meta": { + "country": "KP", + "synonyms": [ + "OperationTroy", + "Guardian of Peace", + "GOP", + "WHOis Team" + ], + "refs": [ + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Silent Chollima" + }, + { + "meta": { + "country": "KP", + "synonyms": [ + "Operation DarkSeoul" + ], + "refs": [ + "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/" + ] + }, + "value": "Lazarus Group" + }, + { + "meta": { + "synonyms": [ + "Appin", + "OperationHangover" + ], + "country": "IN", + "refs": [ + "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" + ] + }, + "value": "Viceroy Tiger" + }, + { + "meta": { + "synonyms": [ + "DD4BC", + "Ambiorx" + ], + "country": "US" + }, + "value": "Pizzo Spider" + }, + { + "meta": { + "synonyms": [ + "TunisianCyberArmy" + ], + "country": "TN" + }, + "value": "Corsair Jackal" + }, + { + "value": "SNOWGLOBE", + "meta": { + "country": "FR", + "refs": [ + "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/" + ], + "synonyms": [ + "Animal Farm" + ] + }, + "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007." + }, + { + "meta": { + "synonyms": [ + "SyrianElectronicArmy", + "SEA" + ], + "country": "SY", + "refs": [ + "https://en.wikipedia.org/wiki/Syrian_Electronic_Army" + ] + }, + "description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear", + "value": "Deadeye Jackal" + }, + { + "meta": { + "country": "PK", + "synonyms": [ + "C-Major" + ], + "refs": [ + "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf" + ] + }, + "value": "Operation C-Major", + "description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro." + }, + { + "meta": { + "refs": [ + "https://citizenlab.org/2016/05/stealth-falcon/" + ], + "synonyms": [ + "FruityArmor" + ], + "country": "UAE" + }, + "value": "Stealth Falcon", + "description": "Group targeting Emirati journalists, activists, and dissidents." + }, + { + "meta": { + "synonyms": [ + "Operation Daybreak", + "Operation Erebus" + ], + "refs": [ + "https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/" + ] + }, + "value": "ScarCruft", + "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer." + }, + { + "meta": { + "refs": [ + "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" + ] + }, + "value": "Pacifier APT", + "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail." + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "Operation C-Major" + ], + "refs": [ + "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf" + ] + }, + "description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder", + "value": "HummingBad" + }, + { + "meta": { + "synonyms": [ + "Chinastrats", + "Patchwork", + "Monsoon", + "Sarit" + ], + "refs": [ + "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", + "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries" + ] + }, + "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", + "value": "Dropping Elephant" + }, + { + "meta": { + "refs": [ + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ] + }, + "description": "Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.", + "value": "Operation Transparent Tribe" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://attack.mitre.org/wiki/Groups", + "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" + ] + }, + "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", + "value": "Scarlet Mimic" + }, + { + "meta": { + "refs": [ + "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/", + "https://attack.mitre.org/wiki/Groups" + ], + "country": "BR" + }, + "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.", + "value": "Poseidon Group" + }, + { + "meta": { + "synonyms": [ + "Moafee" + ], + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", + "https://attack.mitre.org/wiki/Groups" + ], + "country": "CN" + }, + "description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", + "value": "DragonOK" + }, + { + "meta": { + "synonyms": [ + "TG-3390", + "Emissary Panda" + ], + "refs": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", + "https://attack.mitre.org" + ], + "country": "CN" + }, + "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.", + "value": "Threat Group-3390" + }, + { + "meta": { + "synonyms": [ + "Strider", + "Sauron" + ], + "refs": [ + "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/" + ] + }, + "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.", + "value": "ProjectSauron" + }, + { + "meta": { + "refs": [ + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://attack.mitre.org/wiki/Group/G0013" + ], + "synonyms": [ + "APT30" + ], + "country": "CN" + }, + "value": "APT 30", + "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches." + }, + { + "meta": { + "country": "CN" + }, + "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns", + "value": "TA530" + }, + { + "meta": { + "refs": [ + "https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/" + ], + "country": "RU" + }, + "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.", + "value": "GCMAN" + }, + { + "meta": { + "refs": [ + "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" + ], + "country": "CN" + }, + "description": "Suckfly is a China-based threat group that has been active since at least 2014", + "value": "Suckfly" + }, + { + "meta": { + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" + ] + }, + "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.", + "value": "FIN6" + }, + { + "meta": { + "country": "LBY" + }, + "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", + "value": "Libyan Scorpions" + }, + { + "meta": { + "refs": [ + "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users" + ], + "country": "TU" + }, + "value": "StrongPity" + }, + { + "meta": { + "synonyms": [ + "CorporacaoXRat", + "CorporationXRat" + ], + "refs": [ + "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" + ] + }, + "value": "TeamXRat" + }, + { + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + ], + "country": "IR" + }, + "value": "OilRig", + "description": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015." + }, + { + "meta": { + "refs": [ + "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" + ] + }, + "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", + "value": "Volatile Cedar" + }, + { + "meta": { + "synonyms": [ + "Reuse team", + "Dancing Salome" + ] + }, + "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.", + "value": "Malware reusers" + }, + { + "value": "TERBIUM", + "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" + ] + } + }, + { + "value": "Molerats", + "description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html" + ], + "synonyms": [ + "Gaza Hackers Team", + "Operation Molerats", + "Extreme Jackal" + ] + } + }, + { + "value": "PROMETHIUM", + "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + ] + } + }, + { + "value": "NEODYMIUM", + "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + ] + } + }, + { + "value": "Packrat", + "description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.", + "meta": { + "refs": [ + "https://citizenlab.org/2015/12/packrat-report/" + ] + } + }, + { + "value": "Cadelle", + "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + ], + "country": "IR" + } + }, + { + "value": "Chafer", + "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + ], + "country": "IR" + } + }, + { + "value": "PassCV", + "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on. ", + "meta": { + "refs": [ + "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" + ], + "country": "CN" + } + }, + { + "value": "Sath-ı Müdafaa", + "description": "A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.", + "meta": { + "country": "TU", + "motive": "Hacktivists-Nationalists" + } + }, + { + "value": "Aslan Neferler Tim", + "description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam", + "meta": { + "country": "TU", + "synonyms": [ + "Lion Soldiers Team", + "Phantom Turk" + ], + "motive": "Hacktivists-Nationalists" + } + }, + { + "value": "Ayyıldız Tim", + "description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.", + "meta": { + "country": "TU", + "synonyms": [ + "Crescent and Star" + ], + "motive": "Hacktivists-Nationalists" + } + }, + { + "value": "TurkHackTeam", + "description": "Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ", + "meta": { + "country": "TU", + "synonyms": [ + "Turk Hack Team" + ], + "motive": "Hacktivists-Nationalists" + } + }, + { + "value": "Equation Group", + "description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame", + "meta": { + "country": "US", + "refs": [ + "https://en.wikipedia.org/wiki/Equation_Group" + ] + } + }, + { + "value": "Greenbug", + "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" + ] + } + }, + { + "value": "Gamaredon Group", + "description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution" + ] + } } - }, { - "value": "Codoso", - "meta": { - "country": "CN", - "refs": [ - "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" - ], - "synonyms": [ - "C0d0so", - "Sunshop Group" - ] - } - }, { - "meta": { - "refs": [ - "https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf" - ] - }, - "value": "Dust Storm" - }, { - "value": "Karma Panda", - "description": "Adversary targeting dissident groups in China and its surroundings.", - "meta": { - "country": "CN", - "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - } - }, { - "meta": { - "country": "CN" - }, - "value": "Keyhole Panda" - }, { - "meta": { - "country": "CN" - }, - "value": "Wet Panda" - }, { - "meta": { - "country": "CN" - }, - "value": "Foxy Panda", - "description": "Adversary group targeting telecommunication and technology organizations." - }, { - "meta": { - "country": "CN" - }, - "value": "Predator Panda" - }, { - "meta": { - "country": "CN" - }, - "value": "Union Panda" - }, { - "meta": { - "country": "CN" - }, - "value": "Spicy Panda" - }, { - "meta": { - "country": "CN" - }, - "value": "Eloquent Panda" - }, { - "meta": { - "synonyms": [ - "LadyBoyle" - ] - }, - "value": "Dizzy Panda" - }, { - "meta": { - "synonyms": [ - "PLA Unit 61486", - "APT 2", - "Group 36", - "APT-2", - "MSUpdater", - "4HCrew", - "SULPHUR", - "TG-6952" - ], - "country": "CN", - "refs": [ - "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" - ] - }, - "description": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486. ", - "value": "Putter Panda" - }, { - "meta": { - "synonyms": [ - "Gothic Panda", - "TG-0110", - "APT 3", - "Group 6", - "UPS Team", - "APT3", - "Buckeye" - ], - "country": "CN", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", - "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" - ] - }, - "value": "UPS" - }, { - "meta": { - "synonyms": [ - "DUBNIUM" - ], - "refs": [ - "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", - "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2" - ] - }, - "value": "DarkHotel" - }, { - "meta": { - "synonyms": [ - "Numbered Panda", - "TG-2754", - "BeeBus", - "Group 22", - "DynCalc", - "Crimson Iron", - "APT12", - "APT 12" - ], - "country": "CN", - "refs": [ - "http://www.crowdstrike.com/blog/whois-numbered-panda/" - ] - }, - "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", - "value": "IXESHE" - }, { - "meta": { - "country": "CN", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" - ] - }, - "value": "APT 16" - }, { - "meta": { - "synonyms": [ - "APT 17", - "Deputy Dog", - "Group 8", - "APT17", - "Hidden Lynx", - "Tailgater Team" - ], - "country": "CN", - "refs": [ - "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" - ] - }, - "value": "Aurora Panda" - }, { - "meta": { - "synonyms": [ - "Dynamite Panda", - "TG-0416", - "APT 18", - "SCANDIUM", - "APT18" - ], - "country": "CN", - "refs": [ - "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828" - ] - }, - "value": "Wekby" - }, { - "meta": { - "synonyms": [ - "Operation Tropic Trooper" - ], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" - ] - }, - "value": "Tropic Trooper" - }, { - "meta": { - "synonyms": [ - "Winnti Group", - "Tailgater Team", - "Group 72", - "Group72", - "Tailgater", - "Ragebeast", - "Blackfly" - ], - "country": "CN", - "refs": [ - "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", - "http://williamshowalter.com/a-universal-windows-bootkit/" - ] - }, - "value": "Axiom" - }, { - "meta": { - "synonyms": [ - "Deep Panda", - "WebMasters", - "APT 19", - "KungFu Kittens", - "Black Vine", - "Group 13", - "PinkPanther", - "Sh3llCr3w" - ], - "country": "CN", - "refs": [ - "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "description": "Adversary group targeting financial, technology, non-profit organisations.", - "value": "Shell Crew" - }, { - "meta": { - "synonyms": [ - "PLA Unit 78020", - "Override Panda", - "Camerashy", - "APT.Naikon" - ], - "country": "CN", - "refs": [ - "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html" - ] - }, - "value": "Naikon" - }, { - "meta": { - "synonyms": [ - "Spring Dragon", - "ST Group" - ], - "country": "CN", - "refs": [ - "https://securelist.com/blog/research/70726/the-spring-dragon-apt/" - ] - }, - "value": "Lotus Blossom" - }, { - "meta": { - "synonyms": [ - "Elise" - ], - "country": "CN" - }, - "value": "Lotus Panda" - }, { - "meta": { - "country": "CN", - "refs": [ - "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" - ] - }, - "value": "Hurricane Panda" - }, { - "meta": { - "synonyms": [ - "TG-3390", - "APT 27", - "TEMP.Hippo", - "Group 35", - "HIPPOTeam", - "APT27", - "Operation Iron Tiger" - ], - "country": "CN", - "refs": [ - "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" - ] - }, - "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", - "value": "Emissary Panda" - }, { - "meta": { - "synonyms": [ - "APT10", - "APT 10", - "menuPass", - "happyyongzi", - "POTASSIUM" - ], - "country": "CN" - }, - "value": "Stone Panda" - }, { - "meta": { - "synonyms": [ - "APT 9", - "Flowerlady/Flowershow", - "Flowerlady", - "Flowershow" - ], - "country": "CN", - "refs": [ - "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/" - ] - }, - "value": "Nightshade Panda" - }, { - "meta": { - "synonyms": [ - "Goblin Panda", - "Cycldek" - ], - "country": "CN", - "refs": [ - "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/" - ] - }, - "value": "Hellsing" - }, { - "meta": { - "country": "CN", - "refs": [ - "https://kc.mcafee.com/corporate/index?page=content&id=KB71150" - ] - }, - "value": "Night Dragon" - }, { - "meta": { - "synonyms": [ - "Vixen Panda", - "Ke3Chang", - "GREF", - "Playful Dragon", - "APT 15", - "Metushy", - "Social Network Team" - ], - "country": "CN", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html" - ] - }, - "value": "Mirage" - }, { - "meta": { - "country": "CN", - "synonyms": [ - "APT14", - "APT 14", - "QAZTeam", - "ALUMINUM" - ], - "refs": [ - "http://www.crowdstrike.com/blog/whois-anchor-panda/" - ], - "motive": "Espionage" - }, - "value": "Anchor Panda", - "description": "PLA Navy" - }, { - "meta": { - "country": "CN", - "synonyms": [ - "APT 21" - ], - "refs": [ - "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/" - ] - }, - "value": "NetTraveler" - }, { - "meta": { - "synonyms": [ - "IceFog", - "Dagger Panda" - ], - "country": "CN", - "refs": [ - "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/" - ] - }, - "value": "Ice Fog", - "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well." - }, { - "meta": { - "synonyms": [ - "PittyTiger", - "MANGANESE" - ], - "country": "CN", - "refs": [ - "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2" - ] - }, - "value": "Pitty Panda", - "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials" - }, { - "value": "Roaming Tiger", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" - ] - } - }, { - "meta": { - "country": "CN", - "refs": [ - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf" - ] - }, - "value": "HiddenLynx" - }, { - "meta": { - "country": "CN", - "synonyms": [ - "Sneaky Panda" - ] - }, - "value": "Beijing Group" - }, { - "meta": { - "country": "CN", - "synonyms": [ - "Shrouded Crossbow" - ] - }, - "value": "Radio Panda" - }, { - "value": "APT.3102", - "meta": { - "country": "CN", - "refs": [ - "http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/" - ] - } - }, { - "meta": { - "synonyms": [ - "PLA Navy", - "APT4", - "APT 4", - "Getkys", - "SykipotGroup", - "Wkysol" - ], - "country": "CN", - "refs": [ - "http://www.crowdstrike.com/blog/whois-samurai-panda/" - ] - }, - "value": "Samurai Panda" - }, { - "meta": { - "country": "CN" - }, - "value": "Impersonating Panda" - }, { - "meta": { - "country": "CN", - "refs": [ - "http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/" - ], - "synonyms": [ - "APT20", - "APT 20", - "TH3Bug" - ] - }, - "value": "Violin Panda" - }, { - "meta": { - "country": "CN", - "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "description": "A group targeting dissident groups in China and at the boundaries.", - "value": "Toxic Panda" - }, { - "meta": { - "synonyms": [ - "Admin338", - "Team338", - "MAGNESIUM", - "admin@338" - ], - "country": "CN", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", - "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" - ] - }, - "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.", - "value": "Temper Panda" - }, { - "meta": { - "country": "CN", - "refs": [ - "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india" - ], - "synonyms": [ - "APT23", - "KeyBoy" - ] - }, - "value": "Pirate Panda" - }, { - "meta": { - "country": "IR", - "synonyms": [ - "SaffronRose", - "Saffron Rose", - "AjaxSecurityTeam", - "Ajax Security Team", - "Group 26" - ], - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf" - ] - }, - "value": "Flying Kitten", - "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry." - }, { - "meta": { - "country": "IR", - "synonyms": [ - "ITSecTeam", - "Threat Group 2889", - "TG-2889", - "Ghambar" - ], - "refs": [ - "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" - ] - }, - "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.", - "value": "Cutting Kitten" - }, { - "meta": { - "country": "IR", - "synonyms": [ - "Newscaster", - "Parastoo", - "Group 83", - "Newsbeef" - ], - "refs": [ - "https://en.wikipedia.org/wiki/Operation_Newscaster" - ] - }, - "value": "Charming Kitten", - "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors." - }, { - "meta": { - "country": "IR", - "synonyms": [ - "Group 42" - ], - "refs": [ - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" - ] - }, - "description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.", - "value": "Magic Kitten" - }, { - "meta": { - "synonyms": [ - "TEMP.Beanie", - "Operation Woolen Goldfish", - "Thamar Reservoir" - ], - "country": "IR", - "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", - "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", - "http://www.clearskysec.com/thamar-reservoir/", - "https://citizenlab.org/2015/08/iran_two_factor_phishing/", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" - ] - }, - "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", - "value": "Rocket Kitten" - }, { - "meta": { - "country": "IR", - "synonyms": [ - "Operation Cleaver", - "Tarh Andishan", - "Alibaba", - "2889", - "TG-2889" - ], - "refs": [ - "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - }, - "value": "Cleaver", - "description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies." - }, { - "meta": { - "country": "IR" - }, - "value": "Sands Casino" - }, { - "meta": { - "country": "TN", - "synonyms": [ - "FallagaTeam" - ], - "motive": "Hacktivism-Nationalist" - }, - "value": "Rebel Jackal", - "description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region." - }, { - "meta": { - "country": "AE", - "synonyms": [ - "Vikingdom" - ] - }, - "value": "Viking Jackal" - }, { - "meta": { - "synonyms": [ - "APT 28", - "APT28", - "Pawn Storm", - "Fancy Bear", - "Sednit", - "TsarTeam", - "TG-4127", - "Group-4127", - "STRONTIUM", - "TAG_0700" - ], - "country": "RU", - "refs": [ - "https://en.wikipedia.org/wiki/Sofacy_Group" - ] - }, - "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.", - "value": "Sofacy" - }, { - "meta": { - "synonyms": [ - "Dukes", - "Group 100", - "Cozy Duke", - "CozyDuke", - "EuroAPT", - "CozyBear", - "CozyCar", - "Cozer", - "Office Monkeys", - "OfficeMonkeys", - "APT29", - "Cozy Bear", - "The Dukes", - "Minidionis", - "SeaDuke" - ], - "country": "RU", - "refs": [ - "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/" - ] - }, - "value": "APT 29" - }, { - "meta": { - "synonyms": [ - "Turla", - "Snake", - "Venomous Bear", - "Group 88", - "Waterbug", - "WRAITH", - "Turla Team", - "Uroburos", - "Pfinet", - "TAG_0530", - "KRYPTON", - "Hippo Team" - ], - "refs": [ - "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", - "https://www.circl.lu/pub/tr-25/" - ], - "country": "RU" - }, - "value": "Turla Group" - }, { - "meta": { - "synonyms": [ - "Dragonfly", - "Crouching Yeti", - "Group 24", - "Havex", - "CrouchingYeti", - "Koala Team" - ], - "country": "RU", - "refs": [ - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" - ] - }, - "description": "A Russian group that collects intelligence on the energy industry.", - "value": "Energetic Bear" - }, { - "meta": { - "synonyms": [ - "Sandworm Team", - "Black Energy", - "BlackEnergy", - "Quedagh", - "Voodoo Bear" - ], - "country": "RU", - "refs": [ - "http://www.isightpartners.com/2014/10/cve-2014-4114/" - ] - }, - "value": "Sandworm" - }, { - "meta": { - "country": "RU", - "refs": [ - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" - ] - }, - "value": "TeleBots", - "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group." - }, { - "meta": { - "synonyms": [ - "Carbanak", - "Carbon Spider" - ], - "country": "RU", - "refs": [ - "https://en.wikipedia.org/wiki/Carbanak" - ], - "motive": "Cybercrime" - }, - "description": "Groups targeting financial organizations or people with significant financial assets.", - "value": "Anunak" - }, { - "meta": { - "synonyms": [ - "TeamSpy", - "Team Bear", - "Berserk Bear" - ], - "country": "RU", - "refs": [ - "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/" - ] - }, - "value": "TeamSpy Crew" - }, { - "meta": { - "country": "RU", - "refs": [ - "http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/" - ] - }, - "value": "BuhTrap" - }, { - "meta": { - "country": "RU" - }, - "value": "Berserk Bear" - }, { - "meta": { - "country": "RO", - "synonyms": [ - "FIN4" - ] - }, - "value": "Wolf Spider" - }, { - "meta": { - "country": "RU" - }, - "value": "Boulder Bear", - "description": "First observed activity in December 2013." - }, { - "meta": { - "country": "RU" - }, - "value": "Shark Spider", - "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets." - }, { - "meta": { - "country": "RU", - "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "value": "Union Spider", - "description": "Adversary targeting manufacturing and industrial organizations." - }, { - "meta": { - "country": "KP", - "synonyms": [ - "OperationTroy", - "Guardian of Peace", - "GOP", - "WHOis Team" - ], - "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "value": "Silent Chollima" - }, { - "meta": { - "country": "KP", - "synonyms": [ - "Operation DarkSeoul" - ], - "refs": [ - "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/" - ] - }, - "value": "Lazarus Group" - }, { - "meta": { - "synonyms": [ - "Appin", - "OperationHangover" - ], - "country": "IN", - "refs": [ - "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" - ] - }, - "value": "Viceroy Tiger" - }, { - "meta": { - "synonyms": [ - "DD4BC", - "Ambiorx" - ], - "country": "US" - }, - "value": "Pizzo Spider" - }, { - "meta": { - "synonyms": [ - "TunisianCyberArmy" - ], - "country": "TN" - }, - "value": "Corsair Jackal" - }, { - "value": "SNOWGLOBE", - "meta": { - "country": "FR", - "refs": [ - "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/" - ], - "synonyms": [ - "Animal Farm" - ] - }, - "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007." - }, { - "meta": { - "synonyms": [ - "SyrianElectronicArmy", - "SEA" - ], - "country": "SY", - "refs": [ - "https://en.wikipedia.org/wiki/Syrian_Electronic_Army" - ] - }, - "description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear", - "value": "Deadeye Jackal" - }, { - "meta": { - "country": "PK", - "synonyms": [ - "C-Major" - ], - "refs": [ - "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf" - ] - }, - "value": "Operation C-Major", - "description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro." - }, { - "meta": { - "refs": [ - "https://citizenlab.org/2016/05/stealth-falcon/" - ], - "synonyms": [ - "FruityArmor" - ], - "country": "UAE" - }, - "value": "Stealth Falcon", - "description": "Group targeting Emirati journalists, activists, and dissidents." - }, { - "meta": { - "synonyms": [ - "Operation Daybreak", - "Operation Erebus" - ], - "refs": [ - "https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/" - ] - }, - "value": "ScarCruft", - "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer." - }, { - "meta": { - "refs": [ - "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" - ] - }, - "value": "Pacifier APT", - "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail." - }, { - "meta": { - "country": "CN", - "synonyms": [ - "Operation C-Major" - ], - "refs": [ - "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf" - ] - }, - "description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder", - "value": "HummingBad" - }, { - "meta": { - "synonyms": [ - "Chinastrats", - "Patchwork", - "Monsoon", - "Sarit" - ], - "refs": [ - "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", - "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries" - ] - }, - "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", - "value": "Dropping Elephant" - }, { - "meta": { - "refs": [ - "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" - ] - }, - "description": "Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.", - "value": "Operation Transparent Tribe" - }, { - "meta": { - "country": "CN", - "refs": [ - "https://attack.mitre.org/wiki/Groups", - "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" - ] - }, - "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", - "value": "Scarlet Mimic" - }, { - "meta": { - "refs": [ - "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/", - "https://attack.mitre.org/wiki/Groups" - ], - "country": "BR" - }, - "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.", - "value": "Poseidon Group" - }, { - "meta": { - "synonyms": [ - "Moafee" - ], - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", - "https://attack.mitre.org/wiki/Groups" - ], - "country": "CN" - }, - "description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", - "value": "DragonOK" - }, { - "meta": { - "synonyms": [ - "TG-3390", - "Emissary Panda" - ], - "refs": [ - "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", - "https://attack.mitre.org" - ], - "country": "CN" - }, - "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.", - "value": "Threat Group-3390" - }, { - "meta": { - "synonyms": [ - "Strider", - "Sauron" - ], - "refs": [ - "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/" - ] - }, - "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.", - "value": "ProjectSauron" - }, { - "meta": { - "refs": [ - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://attack.mitre.org/wiki/Group/G0013" - ], - "synonyms": [ - "APT30" - ], - "country": "CN" - }, - "value": "APT 30", - "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches." - }, { - "meta": { - "country": "CN" - }, - "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns", - "value": "TA530" - }, { - "meta": { - "refs": [ - "https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/" - ], - "country": "RU" - }, - "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.", - "value": "GCMAN" - }, { - "meta": { - "refs": [ - "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" - ], - "country": "CN" - }, - "description": "Suckfly is a China-based threat group that has been active since at least 2014", - "value": "Suckfly" - }, { - "meta": { - "refs": [ - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" - ] - }, - "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.", - "value": "FIN6" - }, { - "meta": { - "country": "LBY" - }, - "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", - "value": "Libyan Scorpions" - }, { - "meta": { - "refs": [ - "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users" - ], - "country": "TU" - }, - "value": "StrongPity" - }, { - "meta": { - "synonyms": [ - "CorporacaoXRat", - "CorporationXRat" - ], - "refs": [ - "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" - ] - }, - "value": "TeamXRat" - }, { - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" - ], - "country": "IR" - }, - "value": "OilRig", - "description": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015." - }, { - "meta": { - "refs": [ - "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" - ] - }, - "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", - "value": "Volatile Cedar" - }, { - "meta": { - "synonyms": [ - "Reuse team", - "Dancing Salome" - ] - }, - "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.", - "value": "Malware reusers" - }, { - "value": "TERBIUM", - "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" - ] - } - }, { - "value": "Molerats", - "description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html" - ], - "synonyms": [ - "Gaza Hackers Team", - "Operation Molerats", - "Extreme Jackal" - ] - } - }, { - "value": "PROMETHIUM", - "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" - ] - } - }, { - "value": "NEODYMIUM", - "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" - ] - } - }, { - "value": "Packrat", - "description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.", - "meta": { - "refs": [ - "https://citizenlab.org/2015/12/packrat-report/" - ] - } - }, { - "value": "Cadelle", - "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" - ], - "country": "IR" - } - }, { - "value": "Chafer", - "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" - ], - "country": "IR" - } - }, { - "value": "PassCV", - "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on. ", - "meta": { - "refs": [ - "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" - ], - "country": "CN" - } - }, { - "value": "Sath-ı Müdafaa", - "description": "A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.", - "meta": { - "country": "TU", - "motive": "Hacktivists-Nationalists" - } - }, { - "value": "Aslan Neferler Tim", - "description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam", - "meta": { - "country": "TU", - "synonyms": [ - "Lion Soldiers Team", - "Phantom Turk" - ], - "motive": "Hacktivists-Nationalists" - } - }, { - "value": "Ayyıldız Tim", - "description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.", - "meta": { - "country": "TU", - "synonyms": [ - "Crescent and Star" - ], - "motive": "Hacktivists-Nationalists" - } - }, { - "value": "TurkHackTeam", - "description": "Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ", - "meta": { - "country": "TU", - "synonyms": [ - "Turk Hack Team" - ], - "motive": "Hacktivists-Nationalists" - } - }, { - "value": "Equation Group", - "description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame", - "meta": { - "country": "US", - "refs": [ - "https://en.wikipedia.org/wiki/Equation_Group" - ] - } - }, { - "value": "Greenbug", - "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" - ] - } - }, { - "value": "Gamaredon Group", - "description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution" - ] - } - }], + ], "name": "Threat actor", "type": "threat-actor", "source": "MISP Project", From e002e62204a5a7a826eb32d55afbdae82f2e7470 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 1 Mar 2017 14:55:45 +0100 Subject: [PATCH 87/91] missing \n at the end of the file --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2fd6f6f5..07a87e2c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1423,4 +1423,4 @@ "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", "version": 17 -} \ No newline at end of file +} From 71ad9099c414047858ba1b122adc53e29dfc2470 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 13 Mar 2017 13:59:46 +0100 Subject: [PATCH 88/91] IMEIJ added --- clusters/tool.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index fafb104d..cb4e9c82 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -2037,9 +2037,18 @@ "https://github.com/n1nj4sec/pupy" ] } + }, + { + "value": "ELF_IMEIJ", + "description": "Linux Arm malware spread via RFIs in cgi-bin scripts. This backdoor executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/elf_imeij.a" + ] + } } ], - "version": 23, + "version": 24, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "authors": [ From 4112a041f7883c45db31f35eb1588e97eca5f46f Mon Sep 17 00:00:00 2001 From: CERT-Bund Date: Thu, 16 Mar 2017 17:02:55 +0100 Subject: [PATCH 89/91] Added groups, joined groups, added synonyms (see extended description) Added: HammerPanda, Barium, Infy, Sima, Groundbait Joined: StrongPity and Promethium Synonyms: Lead as Winnti, Moonlight as MoleRats, FalloutTeam as DarkHotel, DustStorm as StonePanda, Skipper and Popeye as Pacifier --- clusters/threat-actor.json | 113 +++++++++++++++++++++++++++++++------ 1 file changed, 95 insertions(+), 18 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 07a87e2c..325443d6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -163,7 +163,8 @@ { "meta": { "synonyms": [ - "DUBNIUM" + "DUBNIUM", + "Fallout Team" ], "refs": [ "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", @@ -255,12 +256,15 @@ "Group72", "Tailgater", "Ragebeast", - "Blackfly" + "Blackfly", + "Lead", + "Wicked Spider" ], "country": "CN", "refs": [ "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", - "http://williamshowalter.com/a-universal-windows-bootkit/" + "http://williamshowalter.com/a-universal-windows-bootkit/", + "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp" ] }, "value": "Axiom" @@ -360,7 +364,8 @@ "APT 10", "menuPass", "happyyongzi", - "POTASSIUM" + "POTASSIUM", + "DustStorm" ], "country": "CN" }, @@ -1045,7 +1050,12 @@ "meta": { "refs": [ "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" - ] + ], + "synonyms": [ + "Skipper", + "Popeye" + ], + "country": "RU" }, "value": "Pacifier APT", "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail." @@ -1209,15 +1219,6 @@ "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", "value": "Libyan Scorpions" }, - { - "meta": { - "refs": [ - "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users" - ], - "country": "TU" - }, - "value": "StrongPity" - }, { "meta": { "synonyms": [ @@ -1273,12 +1274,14 @@ "description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”", "meta": { "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html" + "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", + "http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks" ], "synonyms": [ "Gaza Hackers Team", "Operation Molerats", - "Extreme Jackal" + "Extreme Jackal", + "Moonlight" ] } }, @@ -1287,8 +1290,13 @@ "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", "meta": { "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" - ] + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", + "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users" + ], + "synonyms": [ + "StrongPity" + ], + "country": "TU" } }, { @@ -1408,6 +1416,75 @@ "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution" ] } + }, + { + "meta": { + "country": "CHN", + "synonyms": [ + "Zhenbao" + ], + "refs": [ + "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242" + ] + }, + "value": "Hammer Panda", + "description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia." + }, + { + "meta": { + "country": "CHN", + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp" + ] + }, + "value": "Barium", + "description": "Barium is one of the groups using Winnti." + }, + { + "meta": { + "country": "IRN", + "synonyms": [ + "Operation Mermaid" + ], + "refs": [ + "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf" + ] + }, + "value": "Infy", + "description": "Infy is a group of suspected Iranian origin." + }. + { + "meta": { + "country": "IRN", + "refs": [ + "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf" + ] + }, + "value": "Sima", + "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora." + }, + { + "meta": { + "country": "CHN", + "synonyms": [ + "Cloudy Omega" + ], + "refs": [ + "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" + ] + }, + "value": "Blue Termite", + "description": "Blue Termite is a group of suspected Chinese origin active in Japan." + }, + { + "meta": { + "country": "UKR", + "refs": [ + "http://www.welivesecurity.com/2016/05/18/groundbait" + ] + }, + "value": "Groundbait", + "description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics." } ], "name": "Threat actor", From 0d8d2653194153c2473d810ef1e65c4c6557fec7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 16 Mar 2017 17:27:17 +0100 Subject: [PATCH 90/91] Fix typo. --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 325443d6..b860894a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1452,7 +1452,7 @@ }, "value": "Infy", "description": "Infy is a group of suspected Iranian origin." - }. + }, { "meta": { "country": "IRN", From e1b57013515ff29f53dac5281d6b65bedcf78ce2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 16 Mar 2017 17:31:43 +0100 Subject: [PATCH 91/91] JQ all the things --- clusters/threat-actor.json | 44 +++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b860894a..08733cd6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -257,14 +257,14 @@ "Tailgater", "Ragebeast", "Blackfly", - "Lead", - "Wicked Spider" + "Lead", + "Wicked Spider" ], "country": "CN", "refs": [ "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", "http://williamshowalter.com/a-universal-windows-bootkit/", - "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp" + "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp" ] }, "value": "Axiom" @@ -365,7 +365,7 @@ "menuPass", "happyyongzi", "POTASSIUM", - "DustStorm" + "DustStorm" ], "country": "CN" }, @@ -1053,7 +1053,7 @@ ], "synonyms": [ "Skipper", - "Popeye" + "Popeye" ], "country": "RU" }, @@ -1281,7 +1281,7 @@ "Gaza Hackers Team", "Operation Molerats", "Extreme Jackal", - "Moonlight" + "Moonlight" ] } }, @@ -1417,10 +1417,10 @@ ] } }, - { + { "meta": { "country": "CHN", - "synonyms": [ + "synonyms": [ "Zhenbao" ], "refs": [ @@ -1430,23 +1430,23 @@ "value": "Hammer Panda", "description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia." }, - { + { "meta": { - "country": "CHN", - "refs": [ + "country": "CHN", + "refs": [ "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp" ] }, "value": "Barium", "description": "Barium is one of the groups using Winnti." }, - { + { "meta": { - "country": "IRN", - "synonyms": [ + "country": "IRN", + "synonyms": [ "Operation Mermaid" ], - "refs": [ + "refs": [ "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf" ] }, @@ -1455,8 +1455,8 @@ }, { "meta": { - "country": "IRN", - "refs": [ + "country": "IRN", + "refs": [ "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf" ] }, @@ -1465,11 +1465,11 @@ }, { "meta": { - "country": "CHN", - "synonyms": [ + "country": "CHN", + "synonyms": [ "Cloudy Omega" ], - "refs": [ + "refs": [ "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" ] }, @@ -1478,8 +1478,8 @@ }, { "meta": { - "country": "UKR", - "refs": [ + "country": "UKR", + "refs": [ "http://www.welivesecurity.com/2016/05/18/groundbait" ] },